Domain units and authorization policies in Amazon SageMaker Unified Studio

Use domain units to easily organize your assets and other domain entities under specific business units and teams. To set up secure and efficient data sharing within and across business units of your organization, create domain units within Amazon SageMaker Unified Studio and enable selected users within each business unit to login and share their assets to the catalog. Users from anywhere in the enterprise can easily search for assets under those business units and request access to those assets.

Domain units can also be used to enable resource owners, such as AWS account owners, to set up Amazon SageMaker Unified Studio authorization permissions on their resources. Domain units provide a delegated authority from account owners to domain unit owners and they can set up authorization permissions on environment profiles (created using blueprint configurations), on behalf of account owners. This allows you to limit who can create and use which environment profiles depending on the business units to which they belong. Amazon SageMaker Unified Studio authorization permissions can also be used to enforce metadata standards and enable only selected projects to create metadata forms and glossary. This can help maintain a consistent and quality metadata. For more information, see Amazon SageMaker Unified Studio terminology and concepts.

Within an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your users and groups to grant them specific permissions:

Within an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your projects to grant them specific permissions: