# Assign authorization policies to users and groups within an Amazon DataZone domain unit
<a name="assign-authorization-policies-to-users-in-domain-unit"></a>

In Amazon DataZone, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon DataZone terminology and concepts](datazone-concepts.md). 

In an Amazon DataZone domain unit, you can assign the following authorization policies to your users and groups to grant them various authorization permissions within this domain unit:
+ Domain unit creation policy
+ Project creation policy
+ Project membership policy
+ Domain unit ownership assumption policy
+ Project ownership assumption policy

To assign authorization policies to users and groups within a domain unit, complete the following procedure:

1. Navigate to the Amazon DataZone data portal URL and sign in using single sign-on (SSO) or your AWS credentials. If you’re an Amazon DataZone administrator, you can navigate to the Amazon DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and sign in with the AWS account where the domain was created, then choose **Open data portal**.

1. Choose **View domains** and choose the domain and the domain unit where you want to assign authorization policies.

1. On the domain unit details page, choose the authorization policy that you want to assign to users/groups and then choose **Add users**.

1. In the **Add users** pop up window, do one of the following:
   + Choose **Selected users and groups**, specify users and groups to which you want to assign the selected authorization policy, and then choose **Add users**.
   + Choose **All users** and then choose **Add users**.
   + Choose **All groups** and then choose **Add users**.

1. You can also enable or disable the cascade permissions of the selected authorization policy for the selected users. To do so, choose the user(s) for which you want to enable the cascade permissions, then expand **Actions**, and then choose **Set cascade permissions to true**. The selected users will have permissions granted by this policy in all child domain units under this domain unit. Or you can choose the user(s) for which you want to disable the cascade permissions, then expand **Actions**, and set **Set cascade permissions to false**.

# Project membership policy in the hierarchy of domain units in Amazon DataZone
<a name="projectmembershippolicy"></a>

The project membership policy defines the individuals or groups that are eligible to be added as members to projects within a domain unit. This topic describes scenarios of the impact of the policy in relation to an individual domain unit and domain units in a hierarchal structure. 

It's important to note several concepts that are used in this topic:
+ Membership pool - the principals (users or groups) that are granted access through the project membership policy are considered part of the project membership pool. For instance, if the policy for domain unit DU1 is granted to users U1 and U2, as well as the Single Sign-On (SSO) group G1, the project membership pool for DU1 would consist of \$1U1, U2, G1\$1.
+ Cascade - the ability to pass the grant down to all child domain units connected through the domain unit hierarchy. 
+ Grant - the permission for a user or group to perform an action. 

**Scenario 1** - any user or group can be added to the project under Domain Unit 1 as the membership pool consists of \$1All Users/Groups\$1.

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario1.png)


**Scenario 2** - Users \$1U1, G1\$1 can be added to the project under Domain Unit 2 since they are part of the membership pool under Domain Unit 2. Users \$1U3, G2\$1 cannot be added to any project as they are not part of the membership pool.

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario2.png)


**Scenario 3** - Intersection of membership pools: when there are membership pools at different domain unit hierarchy levels, only the users and groups that are in all of the membership pools can be added to the project.

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario3.png)

+ The intersection of users across both membership pools is \$1U1, U2, G1\$1.
+ Users \$1U1, U2, G1\$1 can be added to the project under Domain Unit 3.
+ Users \$1U3, G2\$1 cannot be added to the project under Domain Unit 3 even with All Users and All Groups being in the membership pool at the Root Domain unit level.

**Scenario 4** - Intersection of membership pools: when there are membership pools at different domain unit hierarchy levels, only the users and groups that are in all of the membership pools can be added to the project.

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario4.png)

+ The intersection of users across both membership pools is \$1U1, U2, G1\$1.
+ The membership pool at Domain Unit 4 is \$1All Users / Groups\$1 but the membership pool cannot expand beyond the membership pool at the Root Domain \$1U1, U2, G1\$1. 
+ Users \$1U3, G2\$1 cannot be added to the project under Domain Unit 4 even with All Users and All Groups being in the membership pool at Domain Unit 4.

**Scenario 5** - Users \$1U1, G1\$1 can be added to Project 5 as they part of the intersection of membership pools between Root Domain and Domain Unit 5. No user/group can be added to Project 6 as the intersection of the three membership pools is empty.

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario5.png)


**Scenario 6** - The intersection across all three membership pools means only user \$1U1\$1 can be added to Project 8. Intersection pools at for Domain Unit 8 are \$1U1\$1, \$1U1\$1, \$1U1, U2\$1 - with only \$1U1\$1 being common across the three.

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario6.png)


**Scenario 7** - Users \$1U1, U2, G1\$1 can be added to the project of the Root Domain as they part of the membership pool from the Root Domain. Any user or group can be added to the project under Domain Unit 9 as the membership pool consists of \$1All Users/Groups\$1 because cascade is set to false in the Root Domain above it. 

![\[Project membership policy in the hierarchy of domain units\]](http://docs.aws.amazon.com/datazone/latest/userguide/images/scenario7.png)