# Managing users in Deadline Cloud
AWS Deadline Cloud uses AWS IAM Identity Center to manage users and groups. IAM Identity Center is a cloud-based single sign-on service that can be integrated with your enterprise single-sign on (SSO) provider. With integration, users can sign in with their company account.
Deadline Cloud enables IAM Identity Center by default, and it is required to set up and use Deadline Cloud. An organization owner for your AWS Organizations is responsible for managing the users and groups that have access to your Deadline Cloud monitor. For more information, see [What is AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html).
How you manage users depends on your IAM Identity Center identity source configuration. The identity source defines where IAM Identity Center gets user information.
**Topics**
+ [Understanding your identity source](understanding-identity-source.md)
+ [Create and manage users with IAM Identity Center directory](manage-monitor-users_users.md)
+ [Manage users with an external identity provider](manage-users-external-idp.md)
+ [Understanding access levels](manage-users-by-farm.md)
# Understanding your identity source
IAM Identity Center uses an identity source to define where users are managed. There are two types of identity sources:
IAM Identity Center directory
This is the default identity source. Users are created and managed directly within IAM Identity Center. You can create users through the Deadline Cloud console or the IAM Identity Center console. Users receive email invitations to join your organization, and passwords are managed within IAM Identity Center.
External identity provider (IdP)
Users are federated from an external system such as Okta, Microsoft Entra ID, or other SAML 2.0 identity providers. Users must be created in the external system first. The Deadline Cloud console cannot create users when an external IdP is configured, but you can assign permissions to existing users. Passwords are managed by the external IdP.
To check your identity source configuration or change it, see [Manage your identity source](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) in the IAM Identity Center User Guide.
# Create and manage users with IAM Identity Center directory
If your identity source is set to IAM Identity Center directory, you can create and manage users and groups directly through the Deadline Cloud console. Users created in the console will receive email invitations from IAM Identity Center. After accepting the invitation, users can access the Deadline Cloud monitor.
**Note**
If your IAM Identity Center is connected to an external identity provider, you cannot create users through the Deadline Cloud console. See [Manage users with an external identity provider](manage-users-external-idp.md) for information about managing users with an external IdP.
1. Sign in to the AWS Management Console and open the Deadline Cloud [console](https://console.aws.amazon.com/deadlinecloud/home). From the main page, in the **Get started** section, choose **Set up Deadline Cloud** or **Go to dashboard**.
1. In the left navigation pane, choose **User management**. By default, the **Groups** tab is selected.
Depending on the action to take, choose either the **Groups** tab or **Users** tab.
------
#### [ Groups ]
**To create a group**
1. Choose **Create group**.
1. Enter a group name. The name must be unique among groups in your IAM Identity Center organization.
**To remove a group**
1. Select the group to remove.
1. Choose **Remove**.
1. In the confirmation dialog, choose **Remove group**.
**Note**
You are removing the group from IAM Identity Center. Group members can no longer sign in to the Deadline Cloud or access farm resources.
------
#### [ Users ]
**To add users**
1. Choose the **Users** tab.
1. Choose **Add users**.
1. Enter the name, email address, and username for the new user.
1. (Optional) Choose one or more IAM Identity Center groups to add the new user to.
1. Choose **Send invite** to send the new user an email with instructions for joining your IAM Identity Center organization.
**To remove a user**
1. Select the user you to remove.
1. Choose **Remove**.
1. In the confirmation dialog, choose **Remove user**.
**Note**
You are removing the user from IAM Identity Center. The user can no longer sign in to the Deadline Cloud monitor or access farm resources.
------
# Manage users with an external identity provider
If your IAM Identity Center is connected to an external identity provider (IdP) such as Okta or Microsoft Entra ID, users must be created and managed in that external system. The Deadline Cloud console cannot create new users when an external IdP is configured.
After users are created in your external IdP and synchronized to IAM Identity Center, you can assign them permissions to Deadline Cloud resources. See [Understanding access levels](manage-users-by-farm.md) for information about assigning permissions at the farm, queue, and fleet level.
For information about managing your external identity provider configuration, see [Manage your identity source](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) in the IAM Identity Center User Guide.
# Understanding access levels
Regardless of your identity source, you assign permissions to users and groups at the farm, queue, and fleet level through the Deadline Cloud console. You can grant access permissions at different levels. Each subsequent level includes the permissions for the previous levels. The following list describes the four access levels from the lowest level to the highest level:
+ **Viewer** – Permission to see resources in the farms, queues, fleets, and jobs they have access to. A viewer can't submit or make changes to jobs.
+ **Contributor** – Same as a viewer, but with permission to submit jobs to a queue or farm.
+ **Manager** – Same as contributor, but with permission to edit jobs in queues they have access to, and grant permissions on resources that they have access to.
+ **Owner** – Same as manager, but can view and create budgets and see usage.
For information about customizing these access levels, see [Monitor role](https://docs.aws.amazon.com/deadline-cloud/latest/developerguide/security-iam-service-roles.html#monitor-role) in the *Deadline Cloud Developer Guide*.
**Topics**
+ [Access level permissions matrix](access-level-permissions-matrix.md)
+ [Membership inheritance](membership-inheritance.md)
+ [Assign permissions to users and groups](assign-permissions-procedure.md)
# Access level permissions matrix
The following tables show the specific permissions available at each access level for farms, queues, and fleets when using the default AWS managed policies. Managing user access is currently only available through the Deadline Cloud console and not available in the Deadline Cloud monitor. For information about customizing these access levels, see [Monitor role](https://docs.aws.amazon.com/deadline-cloud/latest/developerguide/security-iam-service-roles.html#monitor-role) in the *Deadline Cloud Developer Guide*.
**Farm permissions by access level**
| Permission | Viewer | Contributor | Manager | Owner |
| --- | --- | --- | --- | --- |
| View farm details | Yes | Yes | Yes | Yes |
| View queues and fleets | Yes | Yes | Yes | Yes |
| Submit jobs | No | Yes | Yes | Yes |
| Manage user access | No | No | Yes | Yes |
| View and create budgets | No | No | No | Yes |
| View usage data | No | No | No | Yes |
**Queue permissions by access level**
| Permission | Viewer | Contributor | Manager | Owner |
| --- | --- | --- | --- | --- |
| View queue details | Yes | Yes | Yes | Yes |
| View jobs in queue | Yes | Yes | Yes | Yes |
| Submit jobs to queue | No | Yes | Yes | Yes |
| Edit and cancel jobs | No | No | Yes | Yes |
| Manage queue user access | No | No | Yes | Yes |
| View queue budget allocation | No | No | No | Yes |
**Fleet permissions by access level**
| Permission | Viewer | Contributor | Manager | Owner |
| --- | --- | --- | --- | --- |
| View fleet details | Yes | Yes | Yes | Yes |
| View workers in fleet | Yes | Yes | Yes | Yes |
| Manage fleet user access | No | No | Yes | Yes |
| View fleet cost data | No | No | No | Yes |
# Membership inheritance
Deadline Cloud uses a hierarchical membership model where permissions can be assigned at the farm, queue, or fleet level. Understanding how membership inheritance works helps you configure access control effectively.
## Farm-level membership
When you assign a user or group membership at the farm level, that membership applies to all queues and fleets within the farm. Farm-level membership provides broad access and is useful for users who need to work across multiple queues or fleets.
For example, if you assign a user as a Contributor at the farm level, that user can submit jobs to any queue in the farm.
## Queue and fleet-level membership
You can also assign membership at the queue or fleet level for more granular access control. Queue-level and fleet-level membership only applies to that specific resource.
For example, if you assign a user as a Manager on a specific queue, that user can edit jobs and manage access only for that queue, not for other queues in the farm.
Users can have access to only a queue or fleet without having farm-level membership. In this case, the user cannot see the farm in their farm list, but can submit jobs to and view only the queues or fleets they have access to.
## Effective permissions
When a user has membership at multiple levels, Deadline Cloud uses the highest access level. For example:
+ A user with Viewer access at the farm level and Manager access on a specific queue has Manager permissions on that queue and Viewer permissions on all other queues.
+ A user with Contributor access at the farm level and Owner access on a specific fleet has Owner permissions on that fleet and Contributor permissions elsewhere.
**Note**
Users without any membership at the farm, queue, or fleet level cannot access those resources, even if they are authenticated through IAM Identity Center.
For instructions on assigning membership to users and groups, see [Assign permissions to users and groups](assign-permissions-procedure.md).
# Assign permissions to users and groups
Use the Deadline Cloud console to assign access levels to users and groups at the farm, queue, or fleet level.
**Note**
Changes to access permissions might take up to 10 minutes to reflect in the system.
**To navigate to access management**
1. Sign in to the AWS Management Console and open the Deadline Cloud [console](https://console.aws.amazon.com/deadlinecloud/home).
1. In the left navigation pane, choose **Farms and other resources**.
1. Select the farm to manage. Choose the farm name to open the details page. You can search for the farm using the search bar.
1. (Optional) To manage a queue or fleet instead of the farm, choose the **Queues** or **Fleets** tab, and then choose the queue or fleet to manage.
1. Choose the **Access management** tab.
Depending on the action to take, choose either the **Groups** tab or **Users** tab.
------
#### [ Groups ]
**To add groups**
1. Select the **Groups** toggle.
1. Choose **Add group**.
1. From the dropdown, select the groups to add.
1. For the group access level, choose one of the following options:
+ **Viewer**
+ **Contributor**
+ **Manager**
+ **Owner**
1. Choose **Add**.
**To remove groups**
1. Select the groups to remove.
1. Choose **Remove**.
1. In the confirmation dialog, choose **Remove group**.
------
#### [ Users ]
**To add users**
1. To add a user, choose **Add user**.
1. From the dropdown, select the users to add.
1. For the user access level, choose one of the following options:
+ **Viewer**
+ **Contributor**
+ **Manager**
+ **Owner**
1. Choose **Add**.
**To remove users**
1. Select the user to remove.
1. Choose **Remove**.
1. In the confirmation dialog, choose **Remove user**.
------