# Permission policy
<a name="permission-profiles"></a>

Research and Engineering Studio (RES) allows an administrative user to create custom permission profiles that grant selected users additional permissions to manage the project that they are part of. Each project comes with two [default permission profiles](permission-matrix.md)- "Project Member" and "Project Owner" that can be customized after deployment.

Currently, administrators can grant two collections of permissions using a permission profile:

1. Project management permissions which consist of "Update project membership" that allows a designated user to add other users and groups to, or remove them from, a project, and "Update project status" that allows a designated user to enable or disable a project.

1. VDI session management permissions which consist of "Create Session" that allows a designated user to create a VDI session within their project, and "Create/Terminate another user's session" that allows a designated user to create or terminate the sessions of other users within a project.

In this way, administrators can delegate project-based permissions to non-administrators in their environment.

**Topics**
+ [Project management permissions](permission-profiles-permission-project-management.md)
+ [VDI session management permissions](permission-profiles-permission-vdi-sessions.md)
+ [Managing permission profiles](permission-profiles-permission-management.md)
+ [Default permissions profiles](permission-matrix.md)
+ [Environment boundaries](permission-profiles-environment-boundaries.md)
+ [Desktop sharing profiles](permission-profiles-desktop-sharing-profiles.md)

# Project management permissions
<a name="permission-profiles-permission-project-management"></a>

**Update project membership **  
This permission allows non-admin users who have been granted it to add and remove users or groups from a project. It also allows them to set the permission profile and decide the access level for all other users and groups for that project.  

![\[Team configurations pop-out window\]](http://docs.aws.amazon.com/res/latest/ug/images/res-update-project-membership.png)


**Update project status **  
This permission allows non-admin users who have been granted it to enable or disable a project using the **Actions** button on the **Projects** page.  

![\[Admin console projects window under environment management\]](http://docs.aws.amazon.com/res/latest/ug/images/res-update-project-status.png)


# VDI session management permissions
<a name="permission-profiles-permission-vdi-sessions"></a>

**Create a session**  
Controls whether or not a user is allowed to launch their own VDI session from the **My Virtual Desktops** page. Disable this to deny non-admin users the ability to launch their own VDI sessions. Users can always stop and terminate their own VDI sessions.  
If a non-admin user does not have permissions to create a session, the **Launch New Virtual Desktop** button will be disabled for them as shown here:  

![\[non-admin users without permissions have the launch new virtual desktop button disabled\]](http://docs.aws.amazon.com/res/latest/ug/images/res-nonadmin-vdi-disabled.png)


**Create or Terminate the sessions of others**  
Allows non-admin users to access the **Sessions** page from the left-hand navigation pane. These users will be able to launch VDI sessions for other users in the projects where they have been granted this permission.  
If a non-admin user has permission to launch sessions for other users, their left-hand navigation pane will display the **Sessions** link under **Session Management** as shown here:   

![\[Non-admin pop-out window for session management\]](http://docs.aws.amazon.com/res/latest/ug/images/res-nonadmin-link-displayed.png)

If a non-admin user does not have permission to create sessions for others, their left-hand navigation pane will not display **Session Management** as shown here:   

![\[the sessions management link is hidden from non-admin users without permission to create sessions for others\]](http://docs.aws.amazon.com/res/latest/ug/images/res-nonadmin-hidden-link.png)


# Managing permission profiles
<a name="permission-profiles-permission-management"></a>

As a RES administrator, you can perform the following actions to manage permission profiles.

**List permission profiles**
+ From the Research and Engineering Studio console page, choose **Permission policy** in the left-hand navigation pane. From this page you can create, update, list, view and delete permission profiles.  
![\[administrators can list permission profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/project-roles.png)

**View permission profiles**

1. On the main **Permission Profiles** page, select the name of the permission profile you want to view. From this page you can edit or delete the selected permission profile.  
![\[administrators can edit or delete permission profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/res-permission-profiles-view-1.png)

1. Select the **Affected projects** tab to view the projects that currently use the permission profile.  
![\[administrators can view the projects affected by permission profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/res-permission-profiles-view-2.png)

**Create permission profiles**

1. On the main **Permission Profiles** page, choose **Create profile** to create a permission profile.

1. Enter a permission profile name and description, then select the permissions to grant to the users or groups that you assign to this profile.  
![\[administrators can create permission profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/res-permission-profiles-create.png)

**Edit permission profiles**
+ On the main **Permission Profiles** page, select a profile by clicking the circle next to it, choose **Actions**, then choose **Edit profile** to update that permission profile.  
![\[administrators can edit permission profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/res-permission-profiles-edit.png)

**Delete permission profiles**
+ On the main **Permission Profiles** page, select a profile by clicking the circle next to it, choose **Actions**, then choose **Delete profile**. You cannot delete a permission profile that is used by any existing project.  
![\[administrators can delete permission profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/res-permission-profiles-delete.png)

# Default permissions profiles
<a name="permission-matrix"></a>

Every RES project comes with two default permission profiles that Global Administrators can configure. (In addition, Global Administrators can create and modify new permission profiles for a project.) The following table shows the allowed permissions for the default permission profiles- "Project Member" and "Project Owner". Permission profiles, and the permissions they grant to select users of a project, only apply to the project that they belong to; Global Administrators are super users who have all the permissions below across all projects.


| Permissions | Description | Project Member | Project Owner | 
| --- | --- | --- | --- | 
| Create Session | Create your own session. Users can always stop and terminate their own sessions with or without this permission. | X | X | 
| Create/terminate others' sessions | Create or terminate another user's session within a project. |  | X | 
| Update Project membership | Update users and groups associated with a project. |  | X | 
| Update Project Status | Enable or disable a project. |  | X | 

# Environment boundaries
<a name="permission-profiles-environment-boundaries"></a>

Environment boundaries allow Research and Engineering Studio (RES) administrators to configure permissions that will take effect globally for all users. This includes permissions such as **File Browser and SSH permissions**, **Desktop Permissions**, and **Desktop advanced settings**. 

![\[environment boundaries\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-environment-boundaries.png)


# Configuring File browser access
<a name="configuring-file-browser-access"></a>

RES Administrators can toggle **Access data** on or off under **File browser permissions**. If **Access data** is turned off, users will not see **File Browser** navigation in their web portal and cannot upload or download data attached to their global file system. When **Access data** is enabled, users have access to **File Browser** navigation in their web portal which allows them to upload or download data that is attached to their global file system.

![\[environment boundaries\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-disabled.png)


When the **Access data** feature is turned on and then later turned off, users who are already logged in to the web portal will be unable to upload or download files, even if they are on the corresponding page. Additionally, the navigation menu will disappear when they refresh the page.

# Configuring SSH access
<a name="configuring-ssh-access"></a>

Administrators can enable or disable SSH for the RES environment from the **Environment boundaries** section. SSH Access to VDIs is facilitated through a bastion host. When you activate this toggle, RES deploys a bastion host and makes the SSH Access Instructions page visible for users. When you deactivate the toggle, RES disables SSH access, terminates the bastion host and removes the SSH access instructions page for users. This toggle is deactivated by default.

**Note**  
When RES deploys a bastion host it adds a `t3.medium` Amazon EC2 instance in your AWS account. You are responsible for all charges associated with this instance. See the [ Amazon EC2 pricing page](https://aws.amazon.com/ec2/pricing/on-demand/) for more information.

**To enable SSH access**

1. In the RES console, on the left navigation pane, choose **Environment Management**, then **Permission Policy**. Under **Environment boundaries** select the **SSH access** toggle.  
![\[Permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-disabled.png)

1. Wait for SSH access to be enabled.  
![\[Advisory banner appears on the permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-enable-ssh.png)

1. Once the Bastion host is added, SSH access is enabled.  
![\[Permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-enabled.png)

   The **SSH Access Instructions** page is visible to users from their left navigation pane.  
![\[SSH access instructions page showing steps for Linux and Windows\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-enabled2.png)

**To disable SSH access**

1. In the RES console, on the left navigation pane, choose **Environment Management**, then **Permission Policy**. Under **Environment boundaries** select the **SSH access** toggle.  
![\[Permission policy page under environment management in the admin console\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-enabled.png)

1. Wait for SSH access to be disabled.  
![\[A banner shows SSH access is being disabled on the Permission policy page\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-disable-ssh.png)

1. Once the process is complete, SSH access is disabled.  
![\[Permission policy page showing SSH access disabled\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-ssh-disabled.png)

# Configuring Desktop Permissions
<a name="configuring-desktop-permissions"></a>

Administrators can toggle **Desktop permissions** on or off to globally manage the VDI functionality of all session owners. All of these permissions, or a subset, can be used to create **Desktop sharing profiles** that determine which actions the users with whom a desktop is shared can perform. If any desktop permission is disabled, this will automatically disable the corresponding permissions in the **Desktop sharing profiles**. These permissions will be labeled as "Disabled Globally". Even if the administrator enables this desktop permission again, the permission in the desktop sharing profile will remain disabled until the administrator manually enables it.

![\[environment boundaries\]](http://docs.aws.amazon.com/res/latest/ug/images/permission-policy-environment-boundaries.png)


# Desktop sharing profiles
<a name="permission-profiles-desktop-sharing-profiles"></a>

Administrators can create new profiles and customize them. These profiles can be accessed by all users and are used when sharing a session with others. The maximum permissions granted within these profiles cannot exceed the desktop permissions allowed globally.

**Create Profile**

Administrators can choose **Create profile** to create a new profile. Then they can enter a **Profile name**, a **Profile Description**, set the desired permissions, and **Save** their changes.

![\[desktop sharing profiles\]](http://docs.aws.amazon.com/res/latest/ug/images/desktop-sharing-profiles.png)


![\[profile definition and permissions\]](http://docs.aws.amazon.com/res/latest/ug/images/res-profile-definition.png)


**Edit Profile**

**To edit a profile:**

1. Select the desired profile.

1. Choose **Actions**, then select **Edit** to modify the profile.

1. Adjust the permissions as needed.

1. Choose **Save changes**.

Any changes made to the profile will be immediately applied to the current open sessions.

![\[desktop sharing profiles with testprofile_1 selected\]](http://docs.aws.amazon.com/res/latest/ug/images/res-desktop-sharing-profiles2.png)


![\[profile definition and permissions for testProfile_1\]](http://docs.aws.amazon.com/res/latest/ug/images/res-profile-definition2.png)