Skip to main content

Permission Errors

This page covers common permission and access problems in the Prism Admin Portal and related AWS access issues.

Cannot See Admin Features

Problem: After logging in to the Admin Portal, you cannot see features such as Users, Groups, Permission Sets, or Assignments in the navigation menu.

Cause: Your role does not have sufficient permissions. The SSO Admin role (level 2) has full access excluding admin management. Viewer (level 0) and Approver (level 1) roles have limited access to the Admin Portal.

Solution:

  1. Check your current role with your organization's Prism administrator.
  2. If you need access to management features, ask your admin to promote your account:
    • The admin can change your role in Preferences > Admin Management.
    • You need at least SSO Admin role for full access excluding admin management.
    • Admin (Super Admin) role is required for admin management features such as identity providers, custom applications, SCIM, API tokens, and log export settings.
  3. Contact your administrator for a complete breakdown of which features each role can access.

Cannot Create Assignments

Problem: You are trying to create an assignment but the operation fails, or the expected permission sets or accounts do not appear in the dropdown.

Cause: This can occur for several reasons: the permission set was recently created and is not yet synced, or there is an inconsistency between Prism and AWS IAM Identity Center.

Solution:

  1. Verify the permission set exists in the Admin Portal under Permission Sets.
  2. Verify the AWS account is onboarded and visible under AWS Accounts.
  3. Changes sync automatically but are eventually consistent. Wait a few moments and try creating the assignment again.
  4. If the issue persists, check for error messages in Preferences > Replication that might indicate problems with the permission set or account in AWS.

Changes Not Reflected in AWS

Problem: You created or modified users, groups, permission sets, or assignments in the Admin Portal, but the changes do not appear in AWS IAM Identity Center or users cannot access the expected AWS accounts.

Cause: Changes sync automatically but are eventually consistent. It may take a few moments for changes to propagate to AWS.

Solution:

  1. Wait a few moments for the changes to propagate. Most changes sync within seconds.
  2. Verify the changes in AWS:
    • Users and groups should appear in AWS IAM Identity Center.
    • Permission sets should be provisioned to the correct accounts.
    • Assignments should be active.
  3. If changes are still not reflected after a few minutes, check Preferences > Replication for any sync errors and resolve the underlying issues.

"Account Has Active Assignments" on Delete

Problem: When trying to delete an AWS account from Prism, you receive an error stating that the account has active assignments.

Cause: Prism prevents deleting an account that still has assignments to avoid leaving orphaned permissions in AWS. All assignments for the account must be removed before it can be deleted.

Solution:

  1. Navigate to Assignments in the Admin Portal.
  2. Filter or search for assignments associated with the account you want to delete.
  3. Delete all assignments (both user assignments and group assignments) for that account.
  4. Return to AWS Accounts and delete the account.

Permission Set Not Appearing in JIT Portal

Problem: A permission set that exists in the Admin Portal does not appear as an option when requesting JIT access.

Cause: The permission set may not yet be synced to AWS IAM Identity Center, or it has not been assigned to any accounts that the user has access to request against.

Solution:

  1. Verify the permission set is properly configured in the Admin Portal under Permission Sets.
  2. Permission sets appear in the JIT portal based on the accounts they are assigned to. If a permission set is not assigned to any account, it will not appear in the JIT portal.
  3. If the user should see the permission set but does not, check whether the user has the appropriate access to the relevant accounts.
  4. If the permission set was recently created, wait a few moments for it to sync to AWS.

Cannot Access Identity Providers or Custom Applications

Problem: You cannot see or access the Identity Providers or Custom Applications sections in the Admin Portal.

Cause: These features are restricted to the Admin (Super Admin) role only. Even SSO Admins cannot access these sections.

Solution:

  1. Confirm your role. Only Admin (Super Admin) users at role level 3 can configure identity providers and custom applications.
  2. If you need to make changes to these settings, contact a user with the Admin role in your organization.
  3. Contact your administrator for full details on role restrictions.

Cannot Access Preferences (SCIM, API Tokens, Log Export)

Problem: Certain items under Preferences are not visible or accessible to you.

Cause: Different preference sections have different role requirements. SCIM, API Tokens, and Log Export Settings require the Admin role, while Replication requires at least SSO Admin.

Solution:

  1. Check which preference feature you need:
    • Replication: Requires SSO Admin or Admin role.
    • Admin Management, SCIM, API Tokens, Log Export: Requires Admin role.
  2. If you need access to a restricted preference, contact your organization's Admin.
  3. Contact your administrator for the complete list.

Still Having Issues?

If none of the above solutions resolve your permission error:

  1. Verify your current role and its permissions with your administrator.
  2. Ask your administrator to verify your role and account status in Preferences > Admin Management.
  3. Check the Audit Logs (if you have SSO Admin or Admin access) for any error entries related to your actions.
  4. Contact CloudKeeper support with your realm name, your role, and a description of the action you are trying to perform.