# Administrator tasks for Multi-party approval
As an administrator, you are responsible for managing and creating approval teams. When you create a team, you set the initial approval requirements and invite approvers to join the team.
When a team is active, you can request to update the team description, approval threshold, and approvers assigned to a team. You can also request to delete the team. Requests that you make require team approval to take effect.
**Use the Multi-party approval console for administrator tasks**
The Multi-party approval console is located in the AWS Organizations console, and is an interface for the Multi-party approval admin to create and manage their approval teams.
![\[Multi-party approval console showing teams and identity sources for managing approval processes.\]](http://docs.aws.amazon.com/mpa/latest/userguide/images/mpa-dashboard.png)
*Figure 1: Diagram depicting the Multi-party approval console.*
**Topics**
+ [Set up Multi-party approval](setting-up.md)
+ [Create team](create-team.md)
+ [View team](admin-view-team.md)
+ [Update team](update-team.md)
+ [Baseline team](baseline-team.md)
+ [Share team](share-team.md)
+ [Delete team](delete-team.md)
+ [Cancel session](cancel-session.md)
+ [Disable Multi-party approval](delete-identity-source.md)
# Set up Multi-party approval
When you sign in to your organization's management account, you can set up Multi-party approval by navigating to the Multi-party approval console and creating a Multi-party approval identity source.
An *identity source* is a Multi-party approval resource that models the connection between Multi-party approval and the AWS IAM Identity Center instance that manages the user authentication for approvers.
![\[AWS Organizations and Approval portal diagram showing management account connection to IAM Identity Center.\]](http://docs.aws.amazon.com/mpa/latest/userguide/images/setting-up.png)
*Figure 1: Diagram depicting a Multi-party approval administrator setting up Multi-party approval.*
## Create a Multi-party approval identity source
To create an identity source, complete the following steps.
**Minimum permissions**
To create a Multi-party approval identity source, you need permission to run the following actions:
+ `kms:Decrypt`
+ `mpa:CreateIdentitySource`
+ `sso:CreateApplication`
+ `sso:DeleteApplication`
+ `sso:DescribeApplication`
+ `sso:DescribeInstance`
+ `sso:ListInstances`
+ `sso:PutApplicationAccessScope`
+ `sso:PutApplicationAssignmentConfiguration`
+ `sso:PutApplicationAuthenticationMethod`
+ `sso:PutApplicationGrant`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:DescribeRegisteredRegions`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
------
#### [ AWS Management Console ]
**To create a Multi-party approval identity source**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, choose **Set up Multi-party approval**.
1. On the **Set up Multi-party approval** page, wait for the Multi-party approval to search for your IAM Identity Center instance. If you don't have an IAM Identity Center instance, you will be prompted to create one.
1. After Multi-party approval has found your IAM Identity Center instance, choose **Complete setup**.
------
#### [ AWS CLI & AWS SDKs ]
**To create a Multi-party approval identity source**
You can use one of the following operations:
+ AWS CLI: [list-instances](https://docs.aws.amazon.com/cli/latest/reference/sso-admin/list-instances.html) and [create-identity-source](https://docs.aws.amazon.com/cli/latest/reference/mpa/create-identity-source.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for your IAM Identity Center instances:
```
$ C:\> aws sso-admin list-instances
```
1. Run the following command to create a Multi-party approval identity source with the available IAM Identity Center of your choice:
```
$ C:\> aws mpa create-identity-source \
--identity-source-parameters '{
"IamIdentityCenter": {
"InstanceArn": "arn:aws:sso:::instance/ssoins-111122223333",
"Region": "region"
}
}'
```
+ **`InstanceArn`**: Amazon Resource Name (ARN) for the IAM Identity Center instance you want to connect with Multi-party approval.
+ **`Region`**: AWS Region where the IAM Identity Center instance is located.
+ AWS SDKs: [ListInstances](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html) and [CreateIdentitySource](https://docs.aws.amazon.com/mpa/latest/APIReference/API_CreateIdentitySource.html)
------
**What to do next**
After you set up Multi-party approval, you can create approval teams in the Multi-party approval console or using the AWS CLI & AWS SDKs. For more information, see [Create team](create-team.md).
## Considerations
**AWS Organizations is required**
Multi-party approval is a capability of AWS Organizations. You access the Multi-party approval console through the Organizations console.
To set up Organizations, see [Getting started with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started.html) in the *Organizations User Guide*.
**Organization instance of IAM Identity Center is required**
Multi-party approval requires access to your identities in AWS IAM Identity Center. To enable an organization instance, see [Enable IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) in the *IAM Identity Center User Guide*.
For your organization instance, we strongly recommend using an [external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html). This setup separates IAM Identity Center administrative privileges from identity management, which helps prevent the admin from being able to bypass Multi-party approval mechanisms by changing approver passwords and assuming their identities.
**Cross-Region setup for the IAM Identity Center instance**
When you enable Multi-party approval and your IAM Identity Center instance in different Regions, Multi-party approval makes calls across Regions to IAM Identity Center. This means that [user and group](https://docs.aws.amazon.com/singlesignon/latest/userguide/users-groups-provisioning.html) information moves across Regions.
If the Region where the IAM Identity Center instance is located experiences issues, approvers might temporarily be unable to access the Multi-party approval portal, and delivery of notifications about new approvals might be delayed.
**One identity source for Multi-party approval**
Creating an Multi-party approval identity source is a one-time operation, and you can only have one identity source for Multi-party approval.
# Create an approval team
When you sign in to your organization's management account, you can create approval teams by navigating to the Multi-party approval console.
![\[AWS Organizations approval process flow from management account to approval portal.\]](http://docs.aws.amazon.com/mpa/latest/userguide/images/create-team.png)
*Figure 1: Diagram depicting a Multi-party approval administrator creating an approval team.*
## Create an approval team
To create a team, complete the following steps.
**Minimum permissions**
To create a team, you need permission to run the following action:
+ `mpa:CreateApprovalTeam`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
+ `sso-directory:DescribeUsers`
+ `sso-directory:SearchUsers`
------
#### [ AWS Management Console ]
**To create a team**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, choose **Create team**.
1. On the **Create approval team** page, enter the following information:
+ **Name:** Name for the team.
+ **Description:** Description for the team.
+ **Approvers**: Choose **Assign approvers** to open a dialog box for selecting IAM Identity Center users to invite to the team. You must have at least three approvers per team.
+ **Minimum required approvals**: Minimum number of approvals needed for a protected operation to be executed. It is recommended to set an approval threshold below the total number of approvers. You must have an approval threshold of at least two.
+ **Tags**: (Optional) Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter teams.
1. After you have finished entering your information, choose **Create team**.
------
#### [ AWS CLI & AWS SDKs ]
**To create a team**
You can use one of the following operations:
+ AWS CLI: [list-instances](https://docs.aws.amazon.com/cli/latest/reference/sso-admin/list-instances.html), [list-users](https://docs.aws.amazon.com/cli/latest/reference/identitystore/list-users.html), and [create-approval-team](https://docs.aws.amazon.com/cli/latest/reference/mpa/create-approval-team.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for your IAM Identity Center instances:
```
$ C:\> aws sso-admin list-instances
```
This returns the `IdentityStoreId` you need to get user IDs (Step 2).
1. Run the following command to return a list of user IDs from the IAM Identity Center identity store of your choice:
```
$ C:\> aws identitystore list-users --identity-store-id identitystoreId
```
This returns the `UserId` you need for `PrimaryIdentityId` (Step 4).
1. Run the following command to return the Amazon Resource Name (ARN) for your Multi-party approval identity source:
```
$ C:\> aws mpa list-identity-sources
```
This returns the `IdentitySourceArn` you need for `PrimaryIdentitySourceArn` (Step 4).
1. Run the following command to create a team:
```
$ C:\> aws mpa create-approval-team \
--name "MyTeam" \
--description "Description for my team" \
--approval-strategy '{"MofN":{"MinApprovalsRequired":approval threshold}}' \
--approvers '[{"PrimaryIdentityId":"544894e8-80c1-707f-60e3-3ba6510dfac1","PrimaryIdentitySourceArn":"arn:aws:mpa:region:123456789012:identity-sources/IamIdentityCenter"}]' \
--policies '["arn:aws:mpa::aws:policy/backup.amazonaws.com/CreateRestoreAccessVault"]' \
--tags '{"Key1":"Value1","Key2":"Value2"}'
```
+ **`name`**: Name for the team.
+ **`description`**: Description for the team.
+ **`approval-strategy`**: Contains an `ApprovalStrategy` object. Currently, only `MofNApprovalStrategy` is supported. This object specifies the minimum number of approvals (M) required for a total number of approvers (N). The integer you specify is the approval threshold. It is recommended to set an approval threshold below the total number of approvers. You must have an approval threshold of at least two.
+ **`approvers`**: List of approvers. You must have at least three approvers per team. Each approver requires:
+ **`PrimaryIdentitySourceArn`**: Amazon Resource Name (ARN) for Multi-party approval identity source.
+ **`PrimaryIdentityId`**: User ID from the IAM Identity Center identity store for the approver you want to assign to the team.
+ **`policies`**: List of Amazon Resource Names (ARNs) for Multi-party approval resource policies that define permissions protecting the team. For a list of available policies, use `mpa list-policies`.
+ **`tags`**: (Optional) Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter teams.
+ AWS SDKs: [ListInstances](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html), [ListUsers](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html), and [CreateApprovalTeam](https://docs.aws.amazon.com/mpa/latest/APIReference/API_CreateApprovalTeam.html)
------
**What to do next**
After you have created a team, Multi-party approval sends email invitations to the approvers you assigned to the team. The team will become active if every invitation is accepted within 24 hours. If at least one approver declines the team invitation, the team will become inactive. For more information, see [Team health](team-health.md).
# View an approval team
When you sign in to your organization's management account, you can view your approval teams and teams that have been shared with you by navigating to the Multi-party approval console.
For more information about statuses, see [Team health](team-health.md).
## View an approval team
To view a team, complete the following steps.
**Minimum permissions**
To view a team, you need permission to run the following action:
+ `mpa:GetApprovalTeam`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
+ `sso-directory:DescribeUsers`
+ `sso-directory:SearchUsers`
------
#### [ AWS Management Console ]
**To view a team**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, you can view a list of your teams.
1. On the **Team** column, select a team to view its details.
------
#### [ AWS CLI & AWS SDKs ]
**To view a team**
You can use one of the following operations:
+ AWS CLI: [list-approval-teams](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-approval-teams.html) and [get-approval-team](https://docs.aws.amazon.com/cli/latest/reference/mpa/get-approval-team.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for your teams:
```
$ C:\> aws mpa list-approval-teams
```
1. Run the following command to view details for a team:
```
$ C:\> aws mpa get-approval-team --arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
+ AWS SDKs: [ListApprovalTeams](https://docs.aws.amazon.com/mpa/latest/APIReference/API_ListApprovalTeams.html) and [GetApprovalTeam](https://docs.aws.amazon.com/mpa/latest/APIReference/API_GetApprovalTeam.html)
------
# Update an approval team
When you sign in to your organization's management account, you can request to update your approval teams by navigating to the Multi-party approval console.
As the Multi-party approval administrator, you can request to update the team description, approval threshold, and approvers assigned to a team. This creates an approval session for the request.
## Update an approval team
To update a team, complete the following steps.
**Minimum permissions**
To update a team, you need permission to run the following actions:
+ `mpa:UpdateApprovalTeam`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
+ `sso-directory:DescribeUsers`
+ `sso-directory:SearchUsers`
------
#### [ AWS Management Console ]
**To update a team**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Team** column, select a team to view its details.
1. On the team page, choose **Edit**.
1. On the **Edit approval team** page, you can update the following information:
+ **Description:** Description for the team.
+ **Approvers**: Choose **Assign approvers** to open a dialog box for selecting IAM Identity Center users to add or remove from the team. Teams must have at least three approvers
+ **Minimum required approvals**: Minimum number of approvals needed for a protected operation to run. It is recommended to set an approval threshold below the total number of approvers. The approval threshold must be at least two.
1. After you have finished updating your information, choose **Edit**.
------
#### [ AWS CLI & AWS SDKs ]
**To update a team**
You can use one of the following operations:
+ AWS CLI: [list-instances](https://docs.aws.amazon.com/cli/latest/reference/sso-admin/list-instances.html), [list-users](https://docs.aws.amazon.com/cli/latest/reference/identitystore/list-users.html), [list-approval-teams](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-approval-teams.html) and [update-approval-team](https://docs.aws.amazon.com/cli/latest/reference/mpa/update-approval-team.html)
1. (If assigning new approvers) Run the following command to return a list of Amazon Resource Names (ARNs) for your IAM Identity Center instances:
```
$ C:\> aws sso-admin list-instances
```
This returns the `IdentityStoreId` you need to get user IDs (Step 2).
1. (If assigning new approvers) Run the following command to return a list of user IDs from the identity store of your choice:
```
$ C:\> aws identitystore list-users --identity-store-id identitystoreId
```
This returns the `UserId` you need for `PrimaryIdentityId` (Step 5).
1. (If assigning new approvers) Run the following command to return the Amazon Resource Name (ARN) for your Multi-party approval identity source:
```
$ C:\> aws mpa list-identity-sources
```
This returns the `IdentitySourceArn` you need for `PrimaryIdentitySourceArn` (Step 5).
1. Run the following command to return a list of Amazon Resource Names (ARNs) for teams:
```
$ C:\> aws mpa list-approval-teams
```
This returns the `Arn` you need for `arn` (Step 5).
1. Run the following command to update a team:
```
$ C:\> aws mpa update-approval-team \
--arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--description "Description for my team" \
--approval-strategy '{"MofN":{"MinApprovalsRequired":integer}}' \
--approvers '[{"PrimaryIdentityId":"544894e8-80c1-707f-60e3-3ba6510dfac1","PrimaryIdentitySourceArn":"arn:aws:mpa:region:123456789012:identity-sources/IamIdentityCenter"}]'
```
+ **`arn`**: Amazon Resource Name (ARN) for the team.
+ **`description`** (Optional): Description for the team.
+ **`approval-strategy`** (Optional): Contains an `ApprovalStrategy` object. Currently, only `MofNApprovalStrategy` is supported. This object specifies the minimum number of approvals (M) required for a total number of approvers (N). The integer you specify is the approval threshold. It is recommended to set an approval threshold below the total number of approvers.
+ **`approvers`** (Optional): List of approvers. Each approver requires:
+ **`PrimaryIdentitySourceArn`**: Amazon Resource Name (ARN) for the Multi-party approval identity source.
+ **`PrimaryIdentityId`**: ID for the approver you want to assign to the team.
+ AWS SDKs: [ListInstances](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_ListInstances.html), [ListUsers](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListUsers.html), [ListApprovalTeams](https://docs.aws.amazon.com/mpa/latest/APIReference/API_ListApprovalTeams.html), and [UpdateApprovalTeam](https://docs.aws.amazon.com/mpa/latest/APIReference/API_UpdateApprovalTeam.html)
------
**What to do next**
After you request to update a team, you can monitor the team status in the Multi-party approval console or using the AWS CLI & AWS SDKs. For more information, see [View team](admin-view-team.md). To cancel an update, see [Cancel session](cancel-session.md).
## Updates and team drafts
When you request to update a team, Multi-party approval creates a team draft which contains the proposed changes.
![\[Team draft interface showing approver updates and approval threshold changes.\]](http://docs.aws.amazon.com/mpa/latest/userguide/images/team-draft.png)
*Figure 1: Team draft as displayed in the Multi-party approval console.*
### Workflows for drafts
The following are the workflows for team drafts.
+ When you request to update a team, the draft enters an *update pending approval* state. This starts a 24-hour approval session.
+ If the update is approved, the edits in the draft are applied to the team. The team now operates with the applied changes.
+ If the update is rejected, the draft enters an *update failed approval* state. You can delete the draft, or re-edit for approval and try again.
+ If the update includes inviting new approvers, the draft will enter a *update pending activation* state if the update is approved. The team remains functional while newly invited approvers have 24 additional hours to respond to the team invitation.
+ If at least one newly invited approver declines the team invitation or the invitation expires, the draft enters an *update failed activation* state. You can delete the draft, or re-edit for approval and try again.
For more information about statuses, see [Team health](team-health.md).
### Interacting with drafts
------
#### [ AWS Management Console ]
**To view a draft**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, you can view a list of your teams.
1. On the **Team** column, select team with the draft you want to view.
1. On the team page, select **View draft** in the alert banner.
------
#### [ AWS CLI & AWS SDKs ]
**To view a draft**
You can follow the steps for the AWS CLI & AWS SDKs in [View team](admin-view-team.md) to view a draft. The `PendingUpdate` object represents the team draft, if applicable.
This object appears as part of the [GetApprovalTeam](https://docs.aws.amazon.com/mpa/latest/APIReference/API_GetApprovalTeam.html) API response when there is a pending update for a team. It contains all the proposed changes that are awaiting approval or activation.
------
------
#### [ AWS Management Console ]
**To delete a draft**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, you can view a list of your teams.
1. On the **Team** column, select team with the draft you want to delete.
1. On the team page, select **Cancel draft** in the alert banner, if applicable.
1. On the team page, select **Delete draft** in the alert banner.
------
#### [ AWS CLI & AWS SDKs ]
**To delete a draft**
The method to delete a draft depends on its current state. For more information, see [Team health](team-health.md).
Use the [CancelSession](https://docs.aws.amazon.com/mpa/latest/APIReference/API_CancelSession.html) API for drafts in the following pending state:
+ Update pending approval
You can follow the steps for the AWS CLI & AWS SDKs in [Cancel session](cancel-session.md). When you use APIs to cancel the session associated with the draft, the draft is deleted.
Use the [DeleteInactiveApprovalTeamVersion](https://docs.aws.amazon.com/mpa/latest/APIReference/API_DeleteInactiveApprovalTeamVersion.html) API for drafts in the following failed states:
+ Update failed approval
+ Update failed validation
+ Update failed activation
You can follow the steps for the AWS CLI & AWS SDKs in [Delete team](delete-team.md) for inactive teams. An inactive team is a draft which failed to become the active team version. Use the `VersionID` for the `PendingUpdate` object, which represents the team draft.
------
## Considerations
**Updates require team approval**
Updates to an active team must be approved by the team. Updates that include inviting new approvers require both team approval and for every newly invited approver to accept the team invitation.
**One update at a time**
Multi-party approval allows only one update to a team at a time. Previous updates must be canceled before you try additional updates.
**Updating teams with inactive approvers**
If there are enough active approvers in a team to meet the approval threshold, the team can continue to operate. This includes removing inactive approvers, assigning new approvers, or adjusting the approval threshold.
If there are not enough active approvers, see [Team recovery](troubleshooting.md#team-recovery).
# Baseline an approval team
Baselining an approval team is a method to ensure that approvers can and are responding to Multi-party approval sessions they are prompted for. The baseline feature allows the Multi-party approval administrator to select specific approvers or an entire team to baseline, based on the last activity of each approver.
Approval teams can decline in health for several reasons:
+ Natural attrition where approvers leave the organization.
+ Incorrect approvers selected by mistake.
+ Improper configuration of approval threshold and approver count.
+ Approvers becoming less engaged over time, missing approval windows or not responding.
Without regular review, approval thresholds and approval team compositions can become stale. Regular monitoring and adjustment of approval teams is necessary to maintain their effectiveness.
## Start an approval team baseline
To baseline a team, complete the following steps.
**Minimum permissions**
To baseline a team, you need permission to run the following action:
+ `mpa:StartApprovalTeamBaseline`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
+ `sso-directory:DescribeUsers`
+ `sso-directory:SearchUsers`
------
#### [ AWS Management Console ]
**To baseline a team**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Team** column, select a team to view its details.
1. On the team page, choose **Baseline approvers**.
1. On the **Baseline approvers** page, select one or more approvers you want to baseline. This will start a Multi-party approval session against the selected approvers.
1. After you have selected the approvers you want to baseline, choose **Baseline approvers**.
------
#### [ AWS CLI & AWS SDKs ]
**To baseline a team**
You can use one of the following operations:
+ AWS CLI: [list-approval-teams](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-approval-teams.html) and [start-approval-team-baseline](https://docs.aws.amazon.com/cli/latest/reference/mpa/start-approval-team-baseline.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for teams:
```
$ C:\> aws mpa list-approval-teams
```
This returns the `Arn` you need for `--arn` (Step 2).
1. Run one of the following commands to start a baseline:
**To baseline all approvers in a team:**
```
$ C:\> aws mpa start-approval-team-baseline \
--arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
**To baseline specific approvers:**
```
$ C:\> aws mpa start-approval-team-baseline \
--arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--approver-ids approver-id-1 approver-id-2
```
+ **`--arn`**: Amazon Resource Name (ARN) for the approval team.
+ **`--approver-ids`** (Optional): One or more approver IDs to baseline. If not specified, all approvers in the team are baselined.
1. (Optional) Run the following command to view the last activity information for each approver in the team:
```
$ C:\> aws mpa get-approval-team \
--arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
The response includes last activity information for each approver in the team.
+ AWS SDKs: [ListApprovalTeams](https://docs.aws.amazon.com/mpa/latest/APIReference/API_ListApprovalTeams.html) and [StartApprovalTeamBaseline](https://docs.aws.amazon.com/mpa/latest/APIReference/API_StartApprovalTeamBaseline.html)
------
**What to do next**
After you start a baseline, approvers can accept the baseline by accessing the approver portal. You can monitor the baseline status and last activity information for each approver using the AWS CLI & AWS SDKs with the [get-approval-team](https://docs.aws.amazon.com/cli/latest/reference/mpa/get-approval-team.html) command, or by viewing the team details in the Multi-party approval console. For more information, see [View team](admin-view-team.md).
## Considerations
**Baselining starts a Multi-party approval session**
When you baseline approvers, a Multi-party approval session is created for the selected approvers. Approvers must respond to the baseline through the approver portal.
**Regular baselining is recommended**
Regular baselining helps maintain the health of your approval teams by identifying approvers who are no longer responsive. Use the last activity information returned by `GetApprovalTeam` to determine which approvers may need to be baselined or replaced.
# Share an approval team
Multi-party approval works with [AWS Resource Access Manager (AWS RAM)](https://aws.amazon.com/ram) to enable resource sharing. Sharing allows other AWS accounts to use or access approval teams you have created. For example, if you want the requester to have access to details about an approval session, you must share the associated approval team.
The shareable resource is called a `Multi-party Approval Team`.
For more information about AWS RAM, see the *[AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/)*.
**Topics**
+ [Prerequisites for sharing teams](#sharing-prereqs)
+ [Share a team](#sharing-share)
+ [Unshare a shared team](#sharing-unshare)
+ [Identify a shared team](#sharing-identify)
## Prerequisites for sharing teams
+ To share a team, you must own it in your AWS account. This means that the resource must be allocated or provisioned in your account. You cannot share a team that has been shared with you.
+ To share a team with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see [ Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*.
## Share a team
To share a team, you must add it to a resource share. A resource share is an AWS RAM resource that lets you share your resources across AWS accounts. A resource share specifies the resources to share, and the consumers with whom they are shared. To add the team to a new resource share, you must first create the resource share using the [AWS RAM console](https://console.aws.amazon.com/ram).
If you are part of an organization in AWS Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared team. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared team after accepting the invitation.
**Minimum permissions**
To share a team, you need permission to run the following actions:
+ `ram:EnableSharingWithAwsOrganization` (If sharing within an organization)
+ `ram:CreateResourceShare`
For step-by-step instructions, see [Creating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) in the *AWS RAM User Guide*.
## Unshare a shared team
**Minimum permissions**
To unshare a team, you need permission to run the following action:
+ `ram:DisassociateResourceShare`
For step-by-step instructions, see [Deleting a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-delete.html) in the *AWS RAM User Guide*.
## Identify a shared team
**Minimum permissions**
To identify a shared team, you need permission to run the following action:
+ `mpa:ListApprovalTeams`
------
#### [ AWS Management Console ]
**To identify a shared team**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, you can view the owner in the **Owner** column.
------
#### [ AWS CLI & AWS SDKs ]
**To identify a shared team**
You can use one of the following operations:
+ AWS CLI: [list-approval-teams](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-approval-teams.html)
Run the following command to return a list of Amazon Resource Names (ARNs) for your teams:
```
$ C:\> aws mpa list-approval-teams
```
The ARN includes the account ID which you can use to identify the owner. For example, `arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.
In this example, if `123456789012` is your account ID, you are the owner. If not, the team has been shared with you.
+ AWS SDKs: [ListApprovalTeams](https://docs.aws.amazon.com/mpa/latest/APIReference/API_ListApprovalTeams.html)
------
# Delete an approval team
When you sign in to your organization's management account, you can request to delete your approval teams by navigating to the Multi-party approval console. This creates an approval session for the request if the team is active.
## Delete an approval team
To delete a team, complete the following steps.
**Minimum permissions**
To delete a team, you need permission to run the following actions:
+ `mpa:DeleteInactiveApprovalTeamVersion` (If deleting an inactive team)
+ `mpa:StartActiveApprovalTeamDeletion` (If deleting an active team)
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
+ `sso-directory:DescribeUsers`
+ `sso-directory:SearchUsers`
------
#### [ AWS Management Console ]
**To delete a team**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Team** column, select a team to view its details.
1. On the team page, choose **Delete**.
1. On the **Delete team** dialog box, confirm the deletion and choose **Delete approval team**.
------
#### [ AWS CLI & AWS SDKs ]
**To delete a team**
You can use one of the following operations:
+ AWS CLI: [list-approval-teams](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-approval-teams.html), [start-active-approval-team-deletion](https://docs.aws.amazon.com/cli/latest/reference/mpa/start-active-approval-team-deletion.html), and [delete-inactive-approval-team-version](https://docs.aws.amazon.com/cli/latest/reference/mpa/start-active-approval-team-deletion.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for your teams:
```
$ C:\> aws mpa list-approval-teams
```
1. **For active teams**
Run the following command to request to delete an active team:
```
$ C:\> aws mpa start-active-approval-team-deletion \
--arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
**For inactive teams**
Run the following command to get the version ID:
```
$ C:\> aws mpa get-approval-team --arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
Run the following command to delete an inactive team:
```
$ C:\> aws mpa delete-inactive-approval-team-version \
--arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--version-id string
```
+ AWS SDKs: [ListApprovalTeams](https://docs.aws.amazon.com/mpa/latest/APIReference/API_ListApprovalTeams.html), [StartActiveApprovalTeamDeletion](https://docs.aws.amazon.com/mpa/latest/APIReference/API_StartActiveApprovalTeamDeletion.html), and [DeleteInactiveApprovalTeamVersion](https://docs.aws.amazon.com/mpa/latest/APIReference/API_DeleteInactiveApprovalTeamVersion.html)
------
**What to do next**
After you request to delete an active team, you can monitor the team status in the Multi-party approval console or using the AWS CLI & AWS SDKs. For more information, see [View team](admin-view-team.md). To cancel a request, see [Cancel session](cancel-session.md).
## Considerations
**Deletions of active teams require team approval**
The request to delete an active team must be approved by the team. If the team is inactive, you do not need team approval.
**Teams can be deleted even when protecting resources**
A team can still be deleted even when it is protecting resources. The service integration provides workflows for reassigning protected resources to available teams.
For information, see the **Learn More** column in [What operations are currently supported with Multi-party approval](what-is.md#mpa-integrations-supported).
# Cancel an approval session
When you sign in to your organization's management account, you can cancel an approval session by navigating to the Multi-party approval console.
As the Multi-party approval administrator, you can cancel unnecessary sessions, including those created by mistake or for team updates and deletions that are no longer needed.
## Cancel a session
To cancel an approval session, complete the following steps.
**Minimum permissions**
To cancel a session, you need permission to run the following action:
+ `mpa:CancelSession`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
+ `sso-directory:DescribeUsers`
+ `sso-directory:SearchUsers`
------
#### [ AWS Management Console ]
**To cancel a team update or deletion**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, select a team and choose **Edit** in the **Actions** dropdown menu.
1. On the **Team** column, select a team to view its details.
1. On the team page, choose **Cancel edits** or **Cancel delete**.
1. (For cancel edits) On the **Cancel team edits** dialog box, confirm the cancellation and choose **Cancel edits**.
------
#### [ AWS CLI & AWS SDKs ]
**To cancel a session**
You can use one of the following operations:
+ AWS CLI: [list-approval-teams](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-approval-teams.html), [get-approval-team](https://docs.aws.amazon.com/cli/latest/reference/mpa/get-approval-team.html), and [cancel-session](https://docs.aws.amazon.com/cli/latest/reference/mpa/cancel-session.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for your teams:
```
$ C:\> aws mpa list-approval-teams
```
1. Run the following command to get the Amazon Resource Name (ARN) for the session with the pending update from the relevant team:
```
$ C:\> aws mpa get-approval-team --arn arn:aws:mpa:region:123456789012:approval-team/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
1. Run the following command to cancel a session:
```
$ C:\> aws mpa cancel-session \
--arn arn:aws:mpa:region:123456789012:session/TeamName-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
```
+ AWS SDKs: [ListApprovalTeams](https://docs.aws.amazon.com/mpa/latest/APIReference/API_ListApprovalTeams.html), [GetApprovalTeam](https://docs.aws.amazon.com/mpa/latest/APIReference/API_GetApprovalTeam.html), and [CancelSession](https://docs.aws.amazon.com/mpa/latest/APIReference/API_CancelSession.html)
------
**What to do next**
After you cancel a team update or deletion, the team continues to function with its existing details. The version ID for the team does not change.
## Considerations
**Only sessions pending approval can be canceled**
You can only cancel sessions in the *update pending approval* or *delete pending approval* state.
For more information about statuses, see [Team health](team-health.md).
# Disable Multi-party approval
When you sign in to your organization's management account, you can disable Multi-party approval by navigating to the Multi-party approval console and deleting the Multi-party approval identity source.
## Delete an identity source
To delete an identity source, complete the following steps.
**Minimum permissions**
To delete an identity source, you need permission to run the following action:
+ `kms:Decrypt`
+ `mpa:DeleteIdentitySource`
+ `sso:DeleteApplication`
+ `sso:DescribeApplication`
+ `sso:DescribeInstance`
+ `sso:ListInstances`
+ `sso:PutApplicationAccessScope`
+ `sso:PutApplicationAssignmentConfiguration`
+ `sso:PutApplicationAuthenticationMethod`
+ `sso:PutApplicationGrant`
If you are using the AWS Management Console, you also need permission to run the following actions:
+ `kms:Decrypt`
+ `organizations:DescribeOrganization`
+ `organizations:ListDelegatedAdministrators`
+ `sso:DescribeInstance`
+ `sso:GetSharedSsoConfiguration`
+ `sso:ListInstances`
------
#### [ AWS Management Console ]
**To delete an identity source**
1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
1. On the left navigation, choose **Multi-party approval**.
1. On the **Multi-party approval** console, select an identity source and choose **Delete**.
1. On the **Delete identity source** dialog box, confirm the deletion and choose **Delete identity source**.
------
#### [ AWS CLI & AWS SDKs ]
**To delete an identity source**
You can use one of the following operations:
+ AWS CLI: [list-identity-sources](https://docs.aws.amazon.com/cli/latest/reference/mpa/list-identity-sources.html) and [delete-identity-source](https://docs.aws.amazon.com/cli/latest/reference/mpa/delete-identity-source.html)
1. Run the following command to return a list of Amazon Resource Names (ARNs) for your identity sources:
```
$ C:\> aws mpa list-identity-sources
```
1. Run the following command to delete an identity source:
```
$ C:\> aws mpa delete-identity-source \
--identity-source-arn arn:aws:mpa:region:123456789012:identity-sources/IamIdentityCenter
```
+ AWS SDKs: [ListIdentitySources](https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListIdentitySources.html) and [DeleteIdentitySource](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteIdentitySource.html)
------
**What to do next**
You can re-enable Multi-party approval at any time. For more information, see [Setting up Multi-party approval](setting-up.md).
## Considerations
**Identity sources cannot be deleted when there are dependent approvers**
You cannot delete a Multi-party approval identity source when the identity source is managing the user authentication for approvers who are currently in approval teams.
To delete an identity source, you must first delete all teams associated with identity source. For more information, see [Delete team](delete-team.md).
**Deleted IAM Identity Center instance**
If you deleted the IAM Identity Center instance connected to your identity source, you can still delete the Multi-party approval identity source. However, if you have active approval teams when the IAM Identity Center instance is deleted, these teams become non-functional. Approvers can no longer access the Multi-party approval portal to vote on sessions. To restore functionality, create a new IAM Identity Center instance with users and connect to a new identity source before you follow the approval team recovery process.
For steps to recover approval teams that are in an error state, see [Troubleshooting](troubleshooting.md).