Organisation Members

Organisation members are principals just like programmatic identities. When a user is added to your organisation, a trust is established from the organisation to the user. You control what they can do by configuring the trust policy on that trust. Access keys are credentials attached to programmatic identities. This page covers common patterns for scoping team member access.

When a user is added to your organisation they are immediately granted the Organisation User (Read Only) managed policy. You can update their trust policy at any time to expand or restrict their access.

Organisation owner protections

To prevent accidental lockout, a few actions against the organisation owner are always denied, regardless of policies:

• Removing the organisation owner from the organisation
• Modifying the organisation owner's trust policy

This means even a user with broad IAM permissions cannot strip the owner of their access or remove them.

Common examples

Read-only access to the organisation

Allow a team member to view databases, programmatic identities, their credentials, and organisation settings without being able to change anything.

Database administrator

Allow a team member to create, describe, and delete databases, without giving them access to IAM or organisation settings.

Credential manager

Allow a team member to create, update, and delete access key credentials, but not modify the parent programmatic identities' trust policies.

Full admin (except owner-level actions)

Grant a team member broad administrative access to all resources in the organisation. Combine a wildcard allow with a targeted deny to protect sensitive IAM actions.

Managing team members

To add a user to your organisation or update their trust policy, navigate to Organisation in the left sidebar and select the Members tab. From there you can add new members by user ID, view existing ones, and edit their policies.