Assignments
Assignments are the core of Prism's access management. An assignment links a permission set to a principal (user or group) on a specific AWS account. This three-way binding determines who can do what, and where.
Assignments List
The Assignments page is organized by AWS account. The top-level view shows a list of all onboarded AWS accounts.
Account List Columns
| Column | Description |
|---|---|
| AWS Accounts | The display name of the AWS account with it's 12 digit AWS Account ID |
| Permission Sets Assigned | The number of permission sets currently assigned on this account |
Account Detail View
Clicking on an AWS account opens the detail view, which shows all assignments for that account.
| Column | Description |
|---|---|
| User/Group Name | The name of the user or group that has the assignment |
| Permission Set | The permission set assigned |
| Status | The current status of the assignment |
| Actions | Available actions (e.g., delete) |
Available Actions
| Action | Description | Link |
|---|---|---|
| Assign users or groups | Select one or more accounts and click + Assign, or click into an account and use Assign users or groups | Create Assignment |
| Remove access | Remove an assignment | Delete Assignment |
Assignment Types
Assignments come in two types based on the principal:
User Assignments
Assignments where the principal is an individual user. The user directly receives the permission set on the specified AWS account.
Group Assignments
Assignments where the principal is a group. All members of the group receive the permission set on the specified AWS account.
Group assignments are generally preferred over user assignments because they scale better. When a new user joins a team, simply adding them to the group gives them all the group's access.
How Assignments Work
The relationship between assignments and access:
Assignment = AWS Account + Principal (User or Group) + Permission Set
For example:
- Account: Production (123456789012)
- Principal: Engineering group
- Permission Set: ReadOnlyAccess
This means every user in the Engineering group gets ReadOnlyAccess on the Production account.
Create Assignment
Create a new assignment to grant a user or group access to an AWS account with a specific permission set. This is the final step in setting up AWS access through Prism.
Prerequisites
- At least one AWS account must be onboarded.
- At least one permission set must exist.
- The user or group you want to assign must already exist.
Step-by-Step Guide
There are two ways to create an assignment:
Option A: From the Assignments List (Multiple Accounts)
- Navigate to Admin Portal > Assignments from the sidebar.
- Select one or more AWS accounts using the checkboxes next to each account.
- Click the + Assign button that appears at the top of the page (shows the count of selected accounts).
- Select the users or groups and the permission sets to assign.
- Confirm the assignment. Assignments are eventually consistent and may take a few seconds to propagate.
Option B: From an Account Detail View (Single Account)
- Navigate to Admin Portal > Assignments from the sidebar.
- Click on an AWS account to open its detail view.
- Click the Assign users or groups button.
- Select the users or groups and the permission sets to assign.
- Confirm the assignment. Assignments are eventually consistent and may take a few seconds to propagate.
The combination of Account + Principal + Permission Set must be unique. You cannot create duplicate assignments for the same combination.
What Happens Next
After creating an assignment:
- The assignment is saved in Prism's database.
- The user (or group members) can log in to the AWS account with the permissions defined in the permission set. Assignments are eventually consistent and may take a few seconds to propagate.
If you need to give the same permission set to many users on the same account, create a group, add the users to the group, and create a single group assignment. This is more efficient and easier to maintain than multiple user assignments.
Example Scenarios
Developer Access to a Development Account
| Field | Value |
|---|---|
| Account | Development (111111111111) |
| Principal Type | Group |
| Principal | Engineering |
| Permission Set | PowerUserAccess |
Auditor Access Across Multiple Accounts
Create one assignment per account:
| Account | Principal Type | Principal | Permission Set |
|---|---|---|---|
| Production (222222222222) | User | auditor@company.com | SecurityAudit |
| Staging (333333333333) | User | auditor@company.com | SecurityAudit |
| Development (111111111111) | User | auditor@company.com | SecurityAudit |
Delete Assignment
Remove a permission set assignment to revoke a user's or group's access to an AWS account. Deleting an assignment removes the link between the principal, permission set, and AWS account.
Prerequisites
- The assignment you want to delete must already exist.
Step-by-Step Guide
- Navigate to Admin Portal > Assignments from the sidebar.
- Click on the AWS account that contains the assignment you want to delete.
- In the account detail view, select the assignment in the table.
- Click the Remove access button.
- A confirmation dialog will appear, asking you to confirm the deletion.
- Review the assignment details (principal, permission set, account) to ensure you are deleting the correct one.
- Click Confirm to proceed with the deletion, or Cancel to abort.
Deleting an assignment revokes access for the affected user or group members. If this is a group assignment, all members of the group will lose the associated access.
What Happens Next
After deleting an assignment:
- The assignment is removed from Prism's database.
- It disappears from the account's assignment list.
- The user (or group members) can no longer access the AWS account with the deleted permission set. Changes are eventually consistent and may take a few seconds to propagate.
Before deleting an assignment, verify that the affected users do not need continued access. If they need different permissions, create a new assignment with the appropriate permission set before deleting the old one.
User Assignments
User assignments are permission set assignments where the principal is an individual user. These grant direct access to a specific user on a specific AWS account with a specific permission set, independent of group membership.
Overview
User assignments provide direct, individual access to AWS accounts. Unlike group assignments, user assignments apply only to the named user and are not affected by group membership changes.
When to Use User Assignments
User assignments are appropriate when:
- A single user needs access that no one else on their team requires.
- Privileged access should be tightly controlled and not granted to an entire group.
- Auditing requirements demand that access be explicitly traceable to an individual.
For most scenarios, group assignments are preferred because they scale better and are easier to manage. Use user assignments only when there is a clear reason to grant access to a specific individual.
Viewing User Assignments
- Navigate to Admin Portal > Assignments from the sidebar.
- Click on an AWS account to view its assignments.
- User assignments are identified by the principal type displayed in the table. Look for entries where the principal is a user (as opposed to a group).
Deleting a user assignment removes that specific access path for the user. However, the user may still have access through group assignments if they belong to a group with a similar assignment.
Group Assignments
Group assignments are permission set assignments where the principal is a group. Every member of the group automatically receives the assigned permission set on the specified AWS account, making group assignments the recommended approach for managing access at scale.
Overview
Group assignments allow you to manage AWS access for entire teams at once. When a new user joins a group, they automatically inherit all the group's assignments. When a user leaves a group, they lose the group's access.
When to Use Group Assignments
Group assignments are recommended for:
- Team-based access -- Give an entire team the same permissions on an account.
- Scalable onboarding -- New team members get the right access by joining the right groups.
- Consistent access -- Ensure all team members have identical permissions.
- Easier maintenance -- Update access for many users by changing a single group assignment.
Group assignments are the preferred method for most access management scenarios. Design your groups around teams or job functions, and use group assignments to grant access.
Viewing Group Assignments
- Navigate to Admin Portal > Assignments from the sidebar.
- Click on an AWS account to view its assignments.
- Group assignments are identified by the principal type displayed in the table. Look for entries where the principal is a group.
Impact of Group Membership Changes
Group assignments are dynamic -- they are affected by group membership changes:
| Change | Effect |
|---|---|
| User added to group | User gains all group assignments |
| User removed from group | User loses all group assignments |
| Group deleted | All group assignments are revoked |
| New assignment added to group | All current group members gain the new access |
Deleting a group assignment affects all members of the group. Ensure no group members need the access before deleting. If only some members should lose access, remove those specific users from the group instead.