search

aws-samples / iam-identity-center-team

Open-source temporary elevated access solution for AWS IAM Identity Center.
https://aws-samples.github.io/iam-identity-center-team/
MIT No Attribution
250 stars 59 forks source link

Feature Request: Disjoint eligibility policies #177

Closed jarrod-mg closed 2 months ago

jarrod-mg commented 4 months ago

Currently, and eligibility policy has three things:

This means, for example, that I can't set up that "developers" can request access for "PowerUserAccess" in the development OU, and "DeveloperAssistDebuggingAccess" in production - without also allowing "PowerUserAccess" in production.

I also can't say that accessing "PowerUserAccess" in development can auto-approve; but "DeveloperAssistDebuggingAccess" in production requires approval.

Is it possible to make the rules more flexible?

tawoyinfa commented 4 months ago

@jarrod-mg As of today, the eligibility policy schema is not very flexible. That might change in the future though. It would require a complete redesign of the policy schema, would need to be thought through carefully and is on our radar.

github-actions[bot] commented 2 months ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed.