# Domains and user access in Amazon DataZone
Domains and user access

This section describes how you can create and manage domains and user access in Amazon DataZone. 

An Amazon DataZone domain is the organizing entity for connecting together your assets, users, and their projects. With Amazon DataZone domains, you have the flexibility to reflect the data and analytics needs of your organizational structure, whether it's creating a single Amazon DataZone domain for your enterprise or multiple datazone; domains for different business units or teams. 

This section also descibes managing user access to the Amazon DataZone console and Amazon DataZone portal. 

For more information, see [Amazon DataZone terminology and concepts](datazone-concepts.md).

**Topics**
+ [

# Create Amazon DataZone domains
](create-domain.md)
+ [

# Edit Amazon DataZone domains
](edit-domain.md)
+ [

# Delete Amazon DataZone domains
](delete-domain.md)
+ [

# Enable IAM Identity Center for Amazon DataZone
](enable-IAM-identity-center-for-datazone.md)
+ [

# Disable IAM Identity Center for Amazon DataZone
](disable-IAM-identity-center-for-datazone.md)
+ [

# Manage users in the Amazon DataZone console
](user-management-console.md)
+ [

# Manage user permissions in the Amazon DataZone data portal
](user-management-portal.md)
+ [

# Restricting access to Amazon DataZone
](user-management-portal-restricting-programmatic-access.md)
+ [

# Upgrade Amazon DataZone domains to Amazon SageMaker unified domains
](upgrade-domain.md)

# Create Amazon DataZone domains
Create domains

**Note**  
If you are using Amazon DataZone with AWS Identity Center to provide access to SSO users and groups, then currently your Amazon DataZone domain must be in the same AWS Region as your AWS Identity Center instance.

Amazon DataZone, a domain is an organizing entity for connecting together your assets, users, and their projects. For more information, see [Amazon DataZone terminology and concepts](datazone-concepts.md). 

To create an Amazon DataZone domain, you must assume an IAM role in the account with administrative permissions. [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md) to obtain the minimum permissions necessary to create a domain.

Additional IAM roles are needed by Amazon DataZone to perform actions on behalf of domain users with a default configuration. You can create these IAM roles in advance, or have Amazon DataZone create them for you. If you want Amazon DataZone to create these IAM roles for you during the domain creation process, then for domain creation you must assume an IAM role with role creation permissions. See [Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation](create-iam-roles.md#create-custom-to-manage-EZCRZ). Depending on your domain creation choices, Amazon DataZone will create up to four new IAM roles for you: **AmazonDataZoneDomainExecutionRole**, **AmazonDataZoneGlueManageAccessRole**, **AmazonDataZoneRedshiftManageAccessRole**, and **AmazonDataZoneProvisioningRole**.

Complete the following procedure to create an Amazon DataZone domain. 

1. Navigate to the Amazon DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose **Create domain** and provide values for the following fields: 
   + **Name** - specify a friendly name for the domain. Once the domain is created this name cannot be changed.
   + **Description** - (optional) specify a domain description.
   + ****Data encryption**** - your Amazon DataZone domain, metadata, and reporting data is encrypted by the AWS Key Management Service (KMS) using a key specific to your Amazon DataZone. Use this field to specify whether you want to use an AWS owned key or choose a different AWS KMS key.

     For more information about using customer managed keys, see [Data encryption at rest for Amazon DataZone](encryption-rest-datazone.md). If you use your own KMS key for data encryption, you must include the following statement in your default [AmazonDataZoneDomainExecutionRole](AmazonDataZoneDomainExecutionRole.md).

------
#### [ JSON ]

****  

     ```
     {
         "Version":"2012-10-17",		 	 	 
         "Statement": [
             {
                 "Sid": "Statement1",
                 "Effect": "Allow",
                 "Action": [
                     "kms:Decrypt",
                     "kms:DescribeKey",
                     "kms:GenerateDataKey"
                 ],
                 "Resource": [
                     "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
                 ]
             }
         ]
     }
     ```

------
   + **Service access** - choose whether to have Amazon DataZone create and use a new **DomainExecutionRole** for you, or choose an existing IAM role.
   + **Quick setup** - (optional) check this box to get started faster by having Amazon DataZone set-up your account for data consumption and publishing. Amazon DataZone will create three IAM roles for provisioning, ingesting, and managing access to AWS Glue and Amazon Redshift resources, create a new Amazon S3 bucket, create an administrative Amazon DataZone project, and create environment profiles for the data lake and data warehouse default blueprints.
   + Tags -**** (optional) specify AWS tags (key and value pairs) for the domain.
   + Once the domain is successfully created, your browser should be refreshed to display your new Amazon DataZone domain’s details page.

# Edit Amazon DataZone domains
Edit domains

In Amazon DataZone, a domain is an organizing entity for connecting together your assets, users, and their projects. For more information, see [Amazon DataZone terminology and concepts](datazone-concepts.md). 

After you create an Amazon DataZone domain, you can later edit the domain to: change the description, enable IAM Identity Center, and add, edit, or remove tag keys and their values. To edit an Amazon DataZone domain, you must assume an IAM role in the account with administrative permissions. [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md) to obtain the minimum permissions necessary to edit a domain.

To edit a domain, complete the following steps:

1. Sign in to the AWS Management Console and open the Amazon DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the details page for the domain, choose **Edit**.

1. 
   + Edit the **Description**.
   + Set the **IAM Identity Center settings**. Learn more about these settings in [Setting up AWS IAM Identity Center for Amazon DataZone](sso-setup.md).
   + Add, edit, or remove **Tag** keys and their values.

1. Once you’ve made your edits, choose **Update domain**.

# Delete Amazon DataZone domains
Delete domains

In Amazon DataZone, a domain is an organizing entity for connecting together your assets, users, and their projects. For more information, see [Amazon DataZone terminology and concepts](datazone-concepts.md). 

The act of deleting a domain is final. Deletion irrevocably removes every Amazon DataZone entity, including data sources, projects, environments, assets, glossaries, and metadata forms. Deletion does not delete non-Amazon DataZone AWS resources that Amazon DataZone may have helped you create, such as IAM roles, S3 buckets, AWS Glue databases, and subscription grants via LakeFormation or Redshift. If you no longer need these resources, delete them in the respective AWS service.

To prevent someone from deleting a domain maliciously, deleting a domain requires administrative IAM permissions for Amazon DataZone, which you can configure with IAM. To prevent someone from deleting a domain accidentally, deleting a domain requires a confirmation word (in the Amazon DataZone console). 

To delete a domain, complete the following steps:

1. Sign in to the AWS Management Console and open the Amazon DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Choose **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. Choose **Delete** and review the informational warnings.

1. Type in the requested text to confirm that you understand these warnings. Choose **Delete**.

**Important**  
Deleting your domain is an irrevocable action that cannot be undone by you or by AWS.

**Note**  
When you or your domain users create an environment in a project, Amazon DataZone creates AWS resources in your domain or associated accounts to provide you and your domain users with functionality. Below is the list of AWS resources that Amazon DataZone may create for projects in your domain, along with the default name. Deleting a domain does not delete any of these AWS resources in your AWS accounts.  
IAM roles: datazone\$1usr\$1<environmentId>.
Glue databases: (1) <environmentName>\$1pub\$1db-\$1, (2) <environmentName>\$1sub\$1db-\$1. If there was already an existing database of this name, Amazon DataZone will add the environment ID.
Athena workgroups: <environmentName>-\$1. If there was already an existing workgroup of this name, Amazon DataZone will add the environment ID.
CloudWatch log group: datazone\$1<environmentId>

# Enable IAM Identity Center for Amazon DataZone


**Note**  
To complete this procedure, you must have AWS IAM Identity Center enabled in the same AWS Region as your Amazon DataZone domain.

You can provide SSO users and groups with access to your Amazon DataZone data portal using AWS IAM Identity Center. After completing [Setting up AWS IAM Identity Center for Amazon DataZone](sso-setup.md), you can enable your SSO users and groups to access your Amazon DataZone domain data portal.

To enable AWS IAM Identity Center for use with your Amazon DataZone domain, you must assume an IAM role in the account with administrative permissions. [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md) and [Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation](create-iam-roles.md#create-custom-to-manage-EZCRZ) to obtain the minimum permissions necessary to enable IAM Identity Center for use with Amazon DataZone.

Complete the following procedure to enable the AWS IAM Identity Center for Amazon DataZone.

1. Sign in to the AWS Management Console and open the DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Select **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the detail page for the domain, choose **Edit**.
   + Select the checkbox for **Enable users in IAM Identity Center**.
   + Choose whether to connect to an organization instance of the IAM Identity center or to connect to an account instance of the IAM identity center.
   + Choose between the two user assignment modes. Once your domain is updated with your selection, it cannot be changed later.
     + With **Implicit user assignment**, any user added to your IAM Identity Center directory can access your Amazon DataZone domain.
     + With **Explicit user assignment**, you will add specific users or groups from you IAM Identity Center directory to provide them access to your Amazon DataZone domain. You will add and remove these users and groups later in the Amazon DataZone Console.

1. Once you are satisfied with your selection, choose **Update domain**.

# Disable IAM Identity Center for Amazon DataZone


Disabling AWS IAM Identity Center for an Amazon DataZone domain will remove access for all SSO users.

**Note**  
Disabling IAM Identity Center will not stop billing for SSO users. To stop billing for SSO users, you must deactivate them in your domain. Billing continues until the end of the month in which a user is deactivated. To deactivate users, see [Manage users in the Amazon DataZone console](user-management-console.md). 

You can provide SSO users and groups with access to your Amazon DataZone data portal using AWS IAM Identity Center. If you have enabled AWS IAM Identity Center for Amazon DataZone, you can later disable access for all users.

To disable AWS IAM Identity Center for use with your Amazon DataZone domain, you must assume an IAM role in the account with administrative permissions. [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md) and [Create a custom policy for IAM permissions to enable the Amazon DataZone service console simplified role creation](create-iam-roles.md#create-custom-to-manage-EZCRZ) to obtain the minimum permissions necessary to disable IAM Identity Center from use with Amazon DataZone.

Complete the following procedure to disable the AWS IAM Identity Center for Amazon DataZone.

1. Sign in to the AWS Management Console and open the DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Select **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. Copy the **Amazon Resource Name (ARN)** for your domain, which starts with arn:aws:datazone:<regionName>:<accountId>:domain/<domainName>.

1. Open the IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/). 

1. Choose **Applications**.

1. Choose the domain for which you want to disable AWS IAM Identity Center, which as a result will remove access to the domain’s data portal for all SSO users. You can use the **Filter** menu and the search box to filter the list of applications.

1. From the **Actions** menu, choose **Disable**.

1. SSO users will lose access to the Amazon DataZone domain.

1. To re-enable AWS IAM Identity Center for the Amazon DataZone domain, choose the domain for which you want to re-enable AWS IAM Identity Center, and from the **Actions** menu, choose **Enable**.

# Manage users in the Amazon DataZone console


Your users can access the Amazon DataZone data portal by using either their AWS credentials or single sign-on (SSO) credentials. To manage users in the Amazon DataZone console for an Amazon DataZone domain, you must assume an IAM role in the account with Amazon DataZone management console permissions. [Configure the IAM permissions required to use the Amazon DataZone management console](create-iam-roles.md) to obtain the minimum permissions necessary to manage users in the Amazon DataZone console.

**Topics**
+ [

## Manage IAM roles and users
](#manage-IAM-users-roles)
+ [

## Manage SSO users
](#manage-sso-users)
+ [

## Manage SSO groups
](#manage-sso-groups)

## Manage IAM roles and users


IAM roles and users are created using AWS Identity and Access Management (IAM) and gain access to your Amazon DataZone domains through permissions attached to them via policies. For more information, see [Configure the IAM permissions required to use the Amazon DataZone data portal](data-portal-permissions.md). In the current release of Amazon DataZone, an administrator from an Amazon DataZone domain owner account, can create IAM user profiles for users in their own account or for users in the associated accounts. An administrator from an Amazon DataZone domain owner account can also set an existing user's status to Assigned or Unassigned (as in assigned or unassigned to use Amazon DataZone) or activate or deactivate any existing user.

1. Sign in to the AWS Management Console and open the DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Select **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the details page for the domain, choose **User management**.

1. To add a user IAM user in the Amazon DataZone domain owner account or in the associated account, choose **Add** and then choose **Add IAM users**.

1. On the **Add users** page, choose **Current account** or **Associated account**, use the **Find and add users or roles** field to find the users that you want to add, and then choose **Add users**.

1. To view an existing IAM user's status, on the **User management** page, choose **IAM Users** in the user type drop-down menu.
   + The **Name** column shows the ARN of the IAM user or role.
   + The **Status** column shows the current status of the IAM user or role in the domain. 
     + Assigned means that the IAM user has been assigned to use Amazon DataZone.
     + Unassigned means that the IAM user has been unassigned to use Amazon DataZone.
     + Activated means that the IAM user or role has called an API, issued a command (via Command Line Interface), or accessed the Amazon DataZone portal for your domain.
     + Deactivated means that the IAM user or role can no longer use the Amazon DataZone Data Portal. To restrict programmatic access see [Restricting access to Amazon DataZone](user-management-portal-restricting-programmatic-access.md). 

1. To deactivate an IAM user or role that is currently activated, check the box next to the user and select **Deactivate** from the **Actions** menu. This will result in the user no longer be able to use the Amazon DataZone Data Portal. To restrict programmatic access see [Restricting access to Amazon DataZone](user-management-portal-restricting-programmatic-access.md). 

1. To activate an IAM user or role that is currently deactivated, check the box next to the user and select **Activate** from the **Actions** menu. The user will gain access to the Amazon DataZone Data Portal if the IAM user or role has `datazone:GetUserPortalLoginUrl` permissions. 

## Manage SSO users


SSO users are created or synchronized with your identity provider. For more information, see [Setting up AWS IAM Identity Center for Amazon DataZone](sso-setup.md) and [Enable IAM Identity Center for Amazon DataZone](enable-IAM-identity-center-for-datazone.md) to enable and configure AWS IAM Identity Center for Amazon DataZone. You can view the list of SSO users assigned to the domain, add SSO users, and remove SSO users.

1. Sign in to the AWS Management Console and open the DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Select **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the details page for the domain, scroll down and choose **User management**.

1. For user type, select **SSO Users** to view the current list of SSO users who have previously authenticated to the data portal. When using implicit user assignment, SSO users who have not previously authenticated to the data portal will not be listed. 
   + The **Name** column shows the SSO user’s name.
   + The **Status** column shows the current status of the SSO user in the domain.
     + Assigned means that the SSO user has been explicitly assigned to the domain. As a result, the user has access to Amazon DataZone. This status is only used when your domain’s identity provider mode is set to explicit assignment.
     + Activated means that the SSO user has accessed the Amazon DataZone portal for the domain. Activation happens automatically.
     + Deactivated means that the SSO user’s access is blocked to the domain’s data portal. 
     + Removed means that the SSO user was previously assigned to the domain, but removed before they ever accessed it.

1. Add SSO users by choosing **Add** and **Add users**. This option is unavailable if the domain is set to implicit user assignment, which means that all users in the identity pool have access to the Amazon DataZone domain.
   + On the **Add users** page, search for the aliases of the users you want to add. A list will appear below the search box with potential matches.
   + Choose the user you want to add. Their alias will appear as a chip below the search box.
   + When you are satisfied with the list of users you want to add, choose **Add user(s)**.
   + The users are assigned to the Amazon DataZone domain with a status of **Assigned**.
   + When the user first accessed the domain’s data portal, the status will change automatically to **Activated**.

1. Remove an **Assigned** SSO user by selecting the user and choosing **Unassign** from the **Actions** menu. As a result, the user will lose access to the Amazon DataZone domain. The user’s status will show as **Not assigned**. This option is unavailable if the domain is set to implicit user assignment.

1. Deactivate an **Activated** SSO user by selecting the user and choosing **Deactivate** from the **Actions** menu. As a result, the user’s access to the Amazon DataZone data portal will be lost and blocked. The user’s status will show as **Deactivated**.

1. Activate a **Deactivated** SSO user by selecting the user and choosing **Activate** from the **Actions** menu. As a result, the user will regain access to the Amazon DataZone data portal. The user’s will show as **Activated**.

## Manage SSO groups


SSO groups are created or synchronized with your identity provider in AWS IAM Identity Center. For more information, see [Setting up AWS IAM Identity Center for Amazon DataZone](sso-setup.md) and [Enable IAM Identity Center for Amazon DataZone](enable-IAM-identity-center-for-datazone.md) to enable and configure AWS IAM Identity Center for Amazon DataZone. You can view the list of SSO groups assigned to the domain, add SSO groups, and remove SSO groups.

1. Sign in to the AWS Management Console and open the DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone).

1. Select **View domains** and choose the domain’s name from the list. The name is a hyperlink.

1. On the details page for the domain, scroll down and choose **User management**.

1. For user type, select **SSO Groups** to view the current list of SSO groups.
   + The **Name** column shows the SSO group’s name.
   + The **Status** column shows the current status of the SSO group in the domain.
     + **Assigned** means that the SSO group has been explicitly assigned to the domain. As a result, all users in the group have access to the domain’s data portal (unless the user is deactivated).
     + **Not Assigned** means that the SSO group has been removed from the domain. Users in the group do not have access to the domain’s data portal via their membership in this group.

1. Add SSO groups by choosing **Add** and **Add groups**. This option is unavailable if the domain is set to implicit user assignment, which means that all users in the identity pool have access to the Amazon DataZone domain regardless of group membership.
   + On the **Add groups** page, search for the aliases of the groups you want to add. A list will appear below the search box with potential matches.
   + Choose the group you want to add. Their alias will appear as a chip below the search box.
   + When you are satisfied with the list of groups you want to add, choose **Add group(s)**.
   + The groups are assigned to the Amazon DataZone domain with a status of **Assigned**.
   + When a member of the group accesses the domain's data portal, the status will change automatically to **Activated**.

1. Remove an **Assigned SSO group** by selecting the group and choosing **Unassign** from the **Actions** menu. As a result, the group will lose access to the Amazon DataZone domain. The group’s status will show as **Not Assigned**. Users that gained their access to Amazon DataZone via their membership in this group will lose access. This option is unavailable if the domain is set to implicit user assignment.

# Manage user permissions in the Amazon DataZone data portal
Manage user permissions in the data portal

You can use the Amazon DataZone management portal to configure authentication for IAM users and roles, SSO users and groups, and SAML users. Amazon DataZone assigns a user profile to each user that uses Amazon DataZone.

User profile permissions to use projects, create entities, etc. are managed using domain untis and policy grants. Within a specific project, the project membership desigation (owner, contributor, view) determines the action authorization.

# Restricting access to Amazon DataZone


**Restricting programmatic access to Amazon DataZone** - for IAM users or roles, making programmatic API calls, access can be restricted via IAM policies. If you want to revoke any already issued short term credentials for roles, you can use the [IAM revoke session mechanism](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html) on the role or on the [Service Control Policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html).

**Restricting login access to the Amazon DataZone data portal ** - to restrict login access to the Amazon DataZone data portal, for IAM users or roles, IAM policies can restrict access to the `datazone:GetUserPortalLoginUrl` action. For SSO users and groups, restrict access to the Amazon DataZone data portal by setting the Amazon DataZone user profile status to **Deactivated**. If your domain is configured with implicit assignment and the user has not previously used Amazon DataZone, you will need to remove the user from the identity provider.

# Upgrade Amazon DataZone domains to Amazon SageMaker unified domains
Upgrade Amazon DataZone domains to Amazon SageMaker unified domains

## Considerations before you upgrade your domain


Before upgrading your Amazon DataZone domain to an Amazon SageMaker unified domain, review these important considerations to ensure a smooth upgrade process.
+ The upgrade process is available only through the AWS management console. Currently, no API support is offered for upgrading your domain. You can initialize the upgrade process from the domain details page of your Amazon DataZone domain. 
+ The upgrade process requires the following roles to be configured (you can select existing roles or have Amazon SageMaker Unified Studio create the roles on your behalf):
  + Domain Execution role - for an Amazon DataZone domain, you're using the [AmazonDataZoneDomainExecutionRole](https://docs.aws.amazon.com/datazone/latest/userguide/AmazonDataZoneDomainExecutionRole.html) that is required by Amazon DataZone to catalog, discover, govern, share, and analyze data in your domain. With an Amazon SageMaker unified domain, you must either use the existing of create a new [AmazonSageMakerDomainExecution](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerDomainExecution.html) role.
  + Domain Service role - Amazon DataZone does not require a Domain Service role. With an Amazon SageMaker unified domain, you must either use the existing of create a new [AmazonSageMakerDomainService](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/AmazonSageMakerDomainService.html) role. This is a service role for domain level actions performed by Amazon SageMaker Unified Studio.
+ Root domain ownership considerations:
  + IAM users or SSO users/groups can be optionally assigned as root domain owners during the upgrade process.
  + If the root domain unit only has IAM roles assigned as owners, it is recommended that you add an IAM user or an SSO user/group as owner. For more information, see [User management](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/adminguide/user-management.html) in the Amazon DataZone Administrator Guide.
  + **Important**: IAM roles cannot log in to the Amazon SageMaker Unified Studio.
+ Associated accounts and AWS Resource Access Manager (AWS RAM) changes:
  + Associated accounts use resource shares from AWS RAM to permit API actions from the root domain account.
  + The upgrade process changes the underlying managed permissions for the AWS RAM share that is created and managed by Amazon DataZone. The affected managed permissions are `AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceAccess` and `AWSRAMPermissionsAmazonDatazoneDomainExtendedServiceWithPortalAccess`.
+ Amazon Q subscription changes - the upgraded domain will have Amazon Q subscription defaulted to the free-tier. Domain administrators can change this after the domain upgrade is complete.
+ After the upgrade, the domain's `domainVersion` attribute changes from `V1` to `V2`.

## Upgrade your Amazon DataZone domain to an Amazon SageMaker unified domain


You can complete the following procedure to upgrade your Amazon DataZone domain to an Amazon SageMaker unified domain. 

1. Navigate to the Amazon DataZone console at [https://console.aws.amazon.com/datazone](https://console.aws.amazon.com/datazone) and use the region selector in the top navigation bar to choose the appropriate AWS Region.

1. Choose the Amazon DataZone domain that you want to upgrade and navigate to its details page.

1. On the domain's details page, choose the **Get started** button located in the **Upgrade your domain to Amazon SageMaker Unified Studio** notification.

1. On the **Upgrade your domain to Amazon SageMaker Unified Studio** page, choose **Start**.

1. Next, specify the Domain Execution role and the Domain Service roles for the domain and the root domain unit owners if your Amazon DataZone domain that you are upgrading doesn’t have owners that are of type IAM user, SSO user/group. Then choose **Upgrade domain**.

## Frequently asked questions about upgrading Amazon DataZone domains to Amazon SageMaker unified domains

+ **Which properties and configurations carry over with the domain after the upgrade?**

  All properties configured on the Amazon DataZone domain carry over to the upgraded Amazon SageMaker unified domain. This includes data encryption properties, authentication application properties, etc.
+ **Do I need to set up single sign-on (SSO) access again for my users?**

  No. Your IAM Identity Center SSO application associated to the domain will carry over to the upgraded Amazon SageMaker unified domain. Additionally, any IAM user or role assigned to the domain will be available in the upgraded Amazon SageMaker unified domain.
+ **Can I still use the Amazon DataZone portal after the upgrade?**

  Yes. After the upgrade both Amazon DataZone portal and Amazon SageMaker Unified Studio will be available for end users to interact with. Both portals will remain open until a domain administrator deactivates the Amazon DataZone portal from the Amazon SageMaker management console. 
+ **Will I see the projects and other entities that were created in the Amazon DataZone portal in Amazon SageMaker Unified Studio?**

  Yes. Most entities (projects, metadata forms, glossaries, domain units) created through the Amazon DataZone portal will be visible in Amazon SageMaker Unified Studio. Projects will carry over all assets, metadata forms and glossaries associated to assets, subscriptions to assets, members, etc. These projects require querying the data from AWS Athena or Amazon Redshift query editors. Metadata forms and glossaries will appear in Amazon SageMaker Unified Studio and they can be edited from Amazon SageMaker and assigned to assets from projects created through Amazon SageMaker. Environments and environment profiles from Amazon DataZone will not show in Amazon SageMaker Unified Studio - these entities have been replaced by Amazon SageMaker project profiles. Projects created in the Amazon SageMaker Unified Studio will not be visible through the Amazon DataZone portal.
+ **What happens to the domain identifier and the project identifiers after the upgrade to Amazon SageMaker unified domain?**

  All entity identifiers, including the domain and projects, will remain the same after the upgrade.
+ **Will my AWS CloudFormation (CFN) stacks continue to work for the newly upgrade Amazon SageMaker unified domain?**

  Amazon SageMaker Unified Studio uses the same APIs as Amazon DataZone. However, some modifications to the logic within CFN templates will be needed. For example, domains from Amazon DataZone are distinguished from Amazon SageMaker unified domains by an attribute named domainVersion (values V1 \$1 V2).
+ **What happens when the upgrade is rolled back?**
  + Rolling back the upgrade changes the domain version from V2 to V1. Amazon SageMaker Unified Studio will no longer be accessible. The console view for the domain will return to the Amazon DataZone view. Resources created before the roll back will remain so long as they are not tied to a project that was created from Amazon SageMaker Unified Studio - rolling back is only permitted when no projects that were created from within Amazon SageMaker Unified Studio are present.
  + Settings such as AWS Q subscription will also persist after the roll back.
  + If VPCs were created for the use of Amazon SageMaker, these will persist after the roll back. VPC's created by the SageMaker service will have tag: Name = SageMakerUnifiedStudioVPC
  + The managed permission under the RAM resource share will not be rolled back. The managed permission is a superset of both Amazon DataZone and Amazon SageMaker Unified Studio.
  + A domain that had been rolled back can again be upgraded to Amazon SageMaker unified domain.