

# Managing users
<a name="transform-user-management"></a>

AWS Transform integrates with IAM Identity Center for user management. This section describes how to add users to IAM Identity Center and grant them access to AWS Transform.

## Adding users in IAM Identity Center
<a name="transform-add-idc-users"></a>

To add users in IAM Identity Center:

1. Navigate to the IAM Identity Center console.

1. In the navigation pane, choose **Users**.

1. Choose **Add user**.

1. Enter the required information:
   + **Username** - A unique identifier for the user (cannot be changed later)
   + **Email address** - The user's email address
   + **First name** and **Last name** - The user's name
   + **Display name** - The name that appears in the user list

1. For **Password**, choose how the user receives their password:
   + **Send an email** - Send setup instructions via email
   + **Generate a one-time password** - Create a password to share manually

1. Choose **Next** to review the user information.

1. Review the details and choose **Add user**.

After the user is added, they'll receive an email invitation to set up their IAM Identity Center account. The invitation link is valid for 7 days.

You can also learn about working with IAM Identity Center and AWS Transform in this video:

[![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/NesMt5cgT0s/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/NesMt5cgT0s)


## Adding users to AWS Transform
<a name="transform-add-transform-users"></a>

After adding users to IAM Identity Center, you can grant them access to AWS Transform:

1. Return to the AWS Transform console.

1. In the navigation pane, choose **Users and groups**.

1. Select the **Users** tab or the **Groups** tab.

1. Search for and select the users or groups that you want to add from IAM Identity Center.

1. Choose **Assign users and groups** to grant the selected users or groups access to AWS Transform.

After adding users, they appear in the **Users** list with a status of "Pending" until they accept the invitation and sign in.

# Understanding collaborator permissions
<a name="collaborator-permissions"></a>

 AWS Transform uses a workspace-based permission model to control access to resources and actions. Each user is assigned a specific role within a workspace, which determines what actions they can perform. A user can have different roles in different workspaces. 

## User roles
<a name="user-roles"></a>

 AWS Transform supports five user roles within each workspace. These roles apply within the context of a workspace, and a user will be assigned roles in each workspace they are a member of. The access permissions defined for each role are workspace agnostic, so user A with the Administrator role in workspace A has the same permissions as user B with the Administrator role in workspace B. 

## Role permissions
<a name="permission-table"></a>

 Detailed permissions for each role: 


| Action | ResourceType | Admin | Approver | Contributor | ReadOnly | 
| --- | --- | --- | --- | --- | --- | 
| Create | Workspace | ✓ | ✓ | ✓ | ✓ | 
| List | Workspace | ✓ | ✓ | ✓ | ✓ | 
| Get | Workspace | ✓ | ✓ | ✓ | ✓ | 
| Update | Workspace | ✓ | ✗ | ✗ | ✗ | 
| Delete | Workspace | ✓ | ✗ | ✗ | ✗ | 
| Create | ChatMessage | ✓ | ✓ | ✓ | ✗ | 
| Read | ChatMessage | ✓ | ✓ | ✓ | ✓ | 
| Create | RoleAssociation | ✓ | ✗ | ✗ | ✗ | 
| Read | RoleAssociation | ✓ | ✓ | ✓ | ✓ | 
| Update | RoleAssociation | ✓ | ✗ | ✗ | ✗ | 
| Delete | RoleAssociation | ✓ | ✗ | ✗ | ✗ | 
| Read | CriticalHITLTask | ✓ | ✓ | ✓ | ✓ | 
| Update | CriticalHITLTask | ✓ | ✓ | ✗ | ✗ | 
| Delete | CriticalHITLTask | ✓ | ✓ | ✗ | ✗ | 
| Read | HITLTask | ✓ | ✓ | ✓ | ✓ | 
| Update | HITLTask | ✓ | ✓ | ✓ | ✗ | 
| Delete | HITLTask | ✓ | ✓ | ✓ | ✗ | 
| Create | Job | ✓ | ✓ | ✓ | ✗ | 
| Read | Job | ✓ | ✓ | ✓ | ✓ | 
| Update | Job | ✓ | ✓ | ✓ | ✗ | 
| Delete | Job | ✓ | ✓ | ✓ | ✗ | 
| Read | Worklog | ✓ | ✓ | ✓ | ✓ | 
| Create | Artifact | ✓ | ✓ | ✓ | ✗ | 
| Read | Artifact | ✓ | ✓ | ✓ | ✓ | 
| Update | Artifact | ✓ | ✓ | ✓ | ✗ | 
| Delete | Artifact | ✓ | ✓ | ✓ | ✗ | 
| Create | Connector | ✓ | ✓ | ✓ | ✗ | 
| Read | Connector | ✓ | ✓ | ✓ | ✓ | 
| Update | Connector | ✓ | ✓ | ✓ | ✗ | 
| Delete | Connector | ✓ | ✓ | ✓ | ✗ | 

## Human-in-the-loop (HITL) actions
<a name="hitl-actions"></a>

 AWS Transform provides two types of HITL actions - standard and critical: 

Standard HITL actions  
 These are routine actions that can be performed by users with Contributor, Approver, or Administrator roles. 

Critical HITL actions  
 These are actions with significant impact, and thus require higher permission levels. Examples include:   
+ Merging code to main branches
+ Performing graph decomposition
+ Deploying code to production environments
 Critical HITL actions can only be performed by users with Approver or Administrator roles. 

 To ensure there's a differentiation between Standard HITL and Critical HITL actions in AuthZ policies, AWS Transform provides two separate HITL APIs, one for completing a standard HITL action, and one for completing a critical HITL action.