Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Understanding authorization by role

PDF
RSS
Focus mode
Understanding authorization by role - Amazon Chime SDK
AppInstanceAdminChannelModeratorMemberNon-member

The tables in this topic list the actions that app instance users can run, depending on their role.

Legend

  • Allowed – If the correct Action/Resource context is specified in the IAM Policy, then it can be successfully run.

  • Allowed with restrictions – If correct Action/Resource context is specified in the IAM Policy then certain conditions have to be met to successfully run the action.

  • Denied – Even if correct Action/Resource context is specified in the IAM Policy, it will still be blocked by the back end.

AppInstanceAdmin

App instance administrators can perform actions on a channels within the app instance for which they are an admin.

API name Allowed or denied Notes

UpdateChannel

Allowed with restriction

Cannot update ElasticChannelConfiguration once set

DeleteChannel

Allowed

DescribeChannel

Allowed

ListChannel

Allowed

ListChannelMembershipsForAppInstanceUser

Allowed

You can also populate the AppInstanceUserArn with another AppInstanceUser.

DescribeChannelMembershipForAppInstanceUser

Allowed

You can also populate AppInstanceUserArn with another AppInstanceUser.

ListChannelsModeratedByAppInstanceUser

Allowed

You can also populate AppInstanceUserArn with another AppInstanceUser.

DescribeChannelModeratedByAppInstanceUser

Allowed

You can also populate AppInstanceUserArn with another ppInstanceUserA. No allowed for elastic channels.

CreateChannelMembership

Allowed

DescribeChannelMembership

Allowed

ListChannelMembership

Allowed

DeleteChannelMembership

Allowed

SendChannelMessage

Allowed with restriction

You first need to use CreateChannelMembership to create a membership for yourself, and then call the API.

GetChannelMessage

Allowed

ListChannelMessage

Allowed

DeleteChannelMessage

Allowed

RedactChannelMessage

Allowed

UpdateChannelMessage

Allowed with restriction

You can only edit your own messages.

CreateChannelModerator

Allowed

DeleteChannelModerator

Allowed

DescribeChannelModerator

Allowed

ListChannelModerator

Allowed

CreateChannelBan

Allowed with restriction

The AppInstanceUser that you ban cannot be an AppInstanceAdmin or the moderator of that channel.

DeleteChannelBan

Allowed with restriction

DescribeChannelBan

Allowed

ListChannelBan

Allowed

UpdateChannelReadMarker

Allowed with restriction

For non-elastic channels, You need to use the CreateChannelMembership API to create a membership for yourself first, and then call the API.

Not allowed for elastic channels.

GetChannelMessage

Allowed with Restriction

Allowed only for sent messages. Not allowed for messages in processing by channel flow unless you are the message sender.

ListChannelMessages

Allowed

DeleteChannelMessage

Allowed with Restriction

Allowed only for sent messages.

RedactChannelMessage

Allowed with Restriction

Allowed only for sent messages.

UpdateChannelMessage

Allowed with Restriction

You can only edit your own sent messages.

AssociateChannelFlow

Allowed

DisassociateChannelFlow

Allowed

GetChannelMessageStatus

Allowed with Restriction

You can only get message status for your own messages.

ListSubChannels

 Allowed

ChannelModerator

Channel moderators can perform actions only on channels for which they have the moderator role.

Note

A moderator who is an AppInstanceAdmin can perform actions on channels allowed by that role.

API name Allowed or denied Notes

UpdateChannel

Allowed

Cannot update ElasticChannelConfiguration once set

DeleteChannel

Allowed

DescribeChannel

Allowed with restriction

You can only get details for public channels.

ListChannel

Allowed with restriction

You can only get details for public channels.

ListChannelMembershipsForAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

DescribeChannelMembershipForAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

ListChannelsModeratedByAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

DescribeChannelModeratedByAppInstanceUser

Allowed with restriction

You can also populate an AppInstanceUserArn with another AppInstanceUser.

CreateChannelMembership

Allowed

DescribeChannelMembership

Allowed

ListChannelMembership

Allowed

DeleteChannelMembership

Allowed

SendChannelMessage

Allowed with restriction

You need to use CreateChannelMembership API to create a membership for yourself first, and then call the SendChannelMessage API.

GetChannelMessage

Allowed

ListChannelMessage

Allowed

DeleteChannelMessage

Denied

RedactChannelMessage

Allowed

UpdateChannelMessage

Allowed with restriction

You can only update your own messages.

CreateChannelModerator

Allowed

You need to use the CreateChannelMembership API to create a membership for yourself first, and then call the CreateChannelModerator API.

DeleteChannelModerator

Allowed

DescribeChannelModerator

Allowed

ListChannelModerator

Allowed

CreateChannelBan

Allowed with restriction

The AppInstanceUser you are banning cannot be an AppInstanceAdmin or the moderator of that channel.

DeleteChannelBan

Allowed with restriction

DescribeChannelBan

Allowed

ListChannelBan

Allowed

UpdateChannelReadMarker

Allowed with restriction

For non-elastic channels, you need to use CreateChannelMembership to create a membership for yourself first, and then call the UpdateChannelReadMarker API.

Not allowed for elastic channels.

GetChannelMessage

Allowed with Restriction

Allowed only for sent messages. Not allowed for messages in processing by channel flow unless you are the message sender.

ListChannelMessages

Allowed

DeleteChannelMessage

Denied

RedactChannelMessage

Allowed with Restriction

Allowed only for sent messages.

UpdateChannelMessage

Allowed with Restriction

You can only edit your own sent messages.

AssociateChannelFlow

Allowed

DisassociateChannelFlow

Allowed

GetChannelMessageStatus

Allowed with Restriction

You can only get message status for your own messages.

ListSubChannels

 Allowed

Member

An AppInstanceUser becomes a member of a channel if they are added to the channel via the CreateChannelMembership API.

Members can perform actions only on channels to which they belong.

Note

A member who is an AppInstanceAdmin or ChannelModerator can perform actions on Channels allowed by those two roles.

API name Allowed or denied Notes

UpdateChannel

Denied

DeleteChannel

Denied

DescribeChannel

Allowed with restriction

You can only get details for public channels.

ListChannel

Allowed with restriction

You can only get details for public channels.

ListChannelMembershipsForAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

DescribeChannelMembershipForAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

ListChannelsModeratedByAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

DescribeChannelModeratedByAppInstanceUser

Allowed with restriction

You can also populate an AppInstanceUserArnwith another AppInstanceUser.

Not allowed for elastic channels.

CreateChannelMembership

Allowed with restriction

You can only add other members for an UNRESTRICTED channel.

DescribeChannelMembership

Allowed

ListChannelMembership

Allowed

DeleteChannelMembership

Allowed

SendChannelMessage

Allowed

GetChannelMessage

Allowed

ListChannelMessage

Allowed

DeleteChannelMessage

Denied

RedactChannelMessage

Allowed with restriction

You can only redact your own messages.

UpdateChannelMessage

Allowed with restriction

You can only update your own messages.

CreateChannelModerator

Denied

DeleteChannelModerator

Denied

DescribeChannelModerator

Denied

ListChannelModerator

Denied

CreateChannelBan

Denied

DeleteChannelBan

Denied

DescribeChannelBan

Denied

ListChannelBan

Denied

UpdateChannelReadMarker

Allowed with restriction

Not allowed for elastic channels.

GetChannelMessage

Allowed with Restriction

Allowed only for sent messages. Not allowed for messages in processing by channel flow unless you are the message sender.

ListChannelMessages

Allowed

DeleteChannelMessage

Allowed with Restriction

Allowed only for sent messages.

RedactChannelMessage

Allowed with Restriction

Allowed only for sent messages.

UpdateChannelMessage

Allowed with Restriction

You can only edit your own sent messages.

AssociateChannelFlow

Denied

DisassociateChannelFlow

Denied

GetChannelMessageStatus

Allowed with Restriction

You can only get message status for your own messages.

Listsubchannels

Denied

Non-member

Non-members are a regular AppInstanceUser and they cannot perform any channel related actions unless you use the CreateChannelMembership API to add them.

Note

A non-member who is an AppInstanceAdmin or ChannelModerator can perform channel related actions allowed by those two roles.

API name Allowed or denied Notes

UpdateChannel

Denied

DeleteChannel

Denied

DescribeChannel

Allowed with restriction

You can only get details for public channels.

ListChannel

Allowed with restriction

You can only get details for public channels.

ListChannelMembershipsForAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

DescribeChannelMembershipForAppInstanceUser

Allowed with restriction

You can also populate an AppInstanceArn with another AppInstanceUser.

Not allowed for elastic channels.

ListChannelsModeratedByAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

DescribeChannelModeratedByAppInstanceUser

Allowed with restriction

You can only use your ARN as the AppInstanceUserArn value.

CreateChannelMembership

Denied

DescribeChannelMembership

Allowed with restriction

You can only get details for public channels.

ListChannelMembership

Allowed with restriction

You can only get details for public channels.

DeleteChannelMembership

Denied

SendChannelMessage

Denied

GetChannelMessage

Allowed with restriction

You can only get details for public channels.

ListChannelMessage

Allowed with restriction

You can only get details for public channels.

DeleteChannelMessage

Denied

RedactChannelMessage

Denied

UpdateChannelMessage

Denied

CreateChannelModerator

Denied

DeleteChannelModerator

Denied

DescribeChannelModerator

Denied

ListChannelModerator

Denied

CreateChannelBan

Denied

DeleteChannelBan

Denied

DescribeChannelBan

Denied

ListChannelBan

Denied

UpdateChannelReadMarker

Denied

GetChannelMessage

Allowed with Restriction

Allowed only for sent messages. Not allowed for messages in processing by channel flow unless you are the message sender.

ListChannelMessages

Allowed with Restriction

DeleteChannelMessage

Denied

Denied

RedactChannelMessage

Denied

UpdateChannelMessage

Denied

AssociateChannelFlow

Denied

DisassociateChannelFlow

Denied

GetChannelMessageStatus

Allowed with Restriction

You can only get message status for your own messages.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.