Domain units and authorization
policies in Amazon SageMaker Unified Studio
Use domain units to organize your assets and other domain entities under specific business units and teams. To set up secure and efficient data sharing within and across business units of your organization, create domain units within Amazon SageMaker Unified Studio and grant access to selected users within each business unit so they can log in and share their assets to the catalog. Users from anywhere in the enterprise can search for assets under those business units and request access to those assets.
Resource owners such as AWS account owners can use domain units to set up Amazon SageMaker Unified Studio authorization permissions on their resources. Domain units provide a delegated authority from account owners to domain unit owners, and they can set up authorization permissions on environment profiles (created using blueprint configurations) on behalf of account owners. This way, you can limit who can create and use environment profiles depending on the business units to which they belong. Amazon SageMaker Unified Studio authorization permissions can also be used to enforce metadata standards and enable only selected projects to create metadata forms and glossary. This can help maintain consistent and quality metadata. For more information, see Amazon SageMaker Unified Studio terminology and concepts.
Within an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your users and groups to grant them specific permissions:
-
Domain unit creation policy
-
Project creation policy
-
Project membership policy
-
Domain unit ownership assumption policy
-
Project ownership assumption policy
Within an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your projects to grant them specific permissions:
-
Glossary creation policy
-
Metadata forms creation policy
-
Custom asset type creation policy
Topics
