Venn diagram of permissions in SageMaker Studio?

0

Is there any overlap of permissions between a space execution role and a user profile execution role, if those two are given different permissions? Does it behave the same as with service control policies (SCPs) and policies on IAM roles, where the overlap is what takes effect? For example, if the space execution role has an explicit deny (or even an implicit deny for that matter!) for CreateApp, but the user profile execution role has an explicit allow for CreateApp, then that user profile won't be able to CreateApp?

1 個回答
1
已接受的答案

Hi Yann, the user profile's execution role is what will be used within the context of the private app of the user profile. So, once a user hits Launch -> Studio or is redirected to Studio UI through SSO, the user's execution role will allow them to launch apps such as data science app, data wrangler app, etc.

The default space execution role is what is assumed by the user once they are in a shared space. So, once the user is in the UI by clicking Launch -> Spaces, the user cannot create apps to run notebooks in, within that space.

TL;DR - they are two distinct roles, each giving the user permissions on a private space or a shared space, and do not work like SCPs. Any user in the shared space within a domain, will share the same execution role as of today. However, for the private space, each user profile can have their own role if needed.

AWS
Durga_S
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南