Permission Sets

Use Permission Sets to assign sophisticated access policies to Stax users accessing your Stax-managed AWS accounts.

Article Tags
On This Page
AssignmentsKnown IssuesSee also

AWS best practices dictate that the principle of least privilege should be followed for permission assignment. What this means, in practice, is that users of AWS accounts should be granted privileges that allow them to perform only the required tasks.

Permission Sets in Stax allow for the granting of tailored levels of access for users logging in to Stax-managed AWS accounts. Each Permission Set consists of a policy document and a number of (zero or more) assignments. The policy document defines what someone utilizing the Permission Set can do, and the assignment defines who can utilize the Permission Set and where.

As of 1 July 2021, this feature is currently in Preview. Review Access Stax Preview Features for more information on what this means. See known issues below for details on current limitations.

A policy document is a JSON-formatted IAM Policy Document that is assigned to a Permission Set. It defines levels of access using combinations of actions, resources, and conditions. Refer to AWS's Identity-based policies definitions and examples to get started with writing policy documents. The Actions, resources, and condition keys for AWS services page provides comprehensive documentation for constructing IAM Policies.

Assignments

An assignment specifies how a Permission Set is able to be utilized. It specifies, for a given Permission Set, a Group of users, and an Account Type that those users can access using the Permission Set. A single Permission Set can have up to 50 assignments, allowing one set of permissions to be used for multiple group and Account Type combinations.

Get started by creating a Permission Set.

Known Issues

Permission Sets is currently in Preview. Review the list of known issues below. If you require further assistance, raise a support case.

  • When you create a new AWS account inside an Account Type or move an account to new Account Type, you must redeploy the Permission Set Assignment
  • If a Group or Account Type in use as part of a Permission Set Assignment is deleted, you will be unable to manage that Assignment and must raise a support case for assistance
  • There is no support for this feature in the Stax API or Python SDK at this time
  • There is limited surfacing of errors into the Stax console at this time

See also