# Domain units and authorization policies in Amazon SageMaker Unified Studio Domain units and authorization policies Use *domain units* to organize your assets and other domain entities under specific business units and teams. To set up secure and efficient data sharing within and across business units of your organization, create domain units within Amazon SageMaker Unified Studio and grant access to selected users within each business unit so they can log in and share their assets to the catalog. Users from anywhere in the enterprise can search for assets under those business units and request access to those assets. Resource owners such as AWS account owners can use domain units to set up Amazon SageMaker Unified Studio authorization permissions on their resources. Domain units provide a delegated authority from account owners to domain unit owners, and they can set up authorization permissions on project profiles (created using blueprint configurations) on behalf of account owners. This way, you can limit who can create and use project profiles depending on the business units to which they belong. Amazon SageMaker Unified Studio authorization permissions can also be used to enforce metadata standards and enable only selected projects to create metadata forms and glossary. This can help maintain consistent and quality metadata. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). Within an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your users and groups to grant them specific permissions: + Domain unit creation policy + Project creation policy + Project membership policy + Domain unit ownership assumption policy + Project ownership assumption policy Within an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your projects to grant them specific permissions: + Glossary creation policy + Metadata forms creation policy + Custom asset type creation policy **Topics** + [ # Create domain units in Amazon SageMaker Unified Studio ](create-domain-unit.md) + [ # Edit domain units in Amazon SageMaker Unified Studio ](edit-domain-unit.md) + [ # Delete domain units in Amazon SageMaker Unified Studio ](delete-domain-unit.md) + [ # Manage domain unit owners in Amazon SageMaker Unified Studio ](add-domain-unit-owners.md) + [ # Assign authorization policies to users and groups within an Amazon SageMaker Unified Studio domain unit ](assign-authorization-policies-to-users-in-domain-unit.md) + [ # Assign authorization policies to projects within an Amazon SageMaker Unified Studio domain unit ](assign-authorization-policies-to-projects-in-domain-unit.md) + [ # Assign authorization policies to asset types ](assign-authorization-policies-to-asset-types.md) # Create domain units in Amazon SageMaker Unified Studio Create domain units In Amazon SageMaker Unified Studio, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). **To create a domain unit** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Domain units**. 1. Choose **Create domain unit**. 1. Specify the following: + Under **Domain unit details**, for **Name**, specify the domain unit name. + Under **Domain unit details**, for **Description**, specify the domain unit description. + Under **Parent domain unit** - choose **Select domain unit**. Select the parent domain unit under which you'd like to add the new domain unit. Then choose **Select parent domain unit**. 1. Choose **Create domain unit**. # Edit domain units in Amazon SageMaker Unified Studio Edit domain units In Amazon SageMaker Unified Studio, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). **To edit a domain unit** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Domain units**. 1. Navigate to the **Domain units** tab and choose the domain unit that you want to edit. 1. Expand **Actions** and choose **Edit domain unit**. 1. Make your changes to the domain unit name and description and then choose **Update domain unit**. # Delete domain units in Amazon SageMaker Unified Studio Delete domain units In Amazon SageMaker Unified Studio, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). **To delete a domain unit** 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Domain units**. 1. Navigate to the **Domain units** tab and choose the domain unit that you want to delete. 1. Expand Actions and choose **Delete domain unit**. 1. In the **Delete domain unit** pop up window, confirm the deletion, then choose **Delete**. # Manage domain unit owners in Amazon SageMaker Unified Studio Manage domain unit owners In Amazon SageMaker Unified Studio, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). To add owners to a domain unit in Amazon SageMaker Unified Studio, complete the following steps. 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Domain units**. 1. Navigate to the **Domain units** tab and choose the domain unit that you want to add owners to. 1. On the domain details page, navigate to the **Owners** tab. 1. Choose **Add owner**, and then in the **Add domain unit owners** pop up window, specify users that you want to make domain unit owners. 1. Choose **Add owners**. # Assign authorization policies to users and groups within an Amazon SageMaker Unified Studio domain unit Assign authorization policies to users and groups within a domain unit In Amazon SageMaker Unified Studio, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). In an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your users and groups to grant them various authorization permissions within this domain unit: + Domain unit creation policy + Project creation policy + Project membership policy + Domain unit ownership assumption policy + Project ownership assumption policy To assign authorization policies to users and groups within a domain unit, complete the following procedure: 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Domain units**. 1. Navigate to the **Domain units** tab and choose the domain unit that you want to add an authorization policy grant in. 1. On the domain unit details page, choose the authorization policy that you want to assign to users or groups to. 1. Choose **Add policy grant**. 1. In the **Add users** pop up window, do one of the following: + Choose **Select users and groups**, specify users and groups to which you want to assign the selected authorization policy, and then choose **Add policy grant**. + Choose **All users** and then choose **Add policy grant**. 1. You can also enable or disable the cascade permissions of the selected authorization policy for the selected users. To do so, select the user(s) for which you want to enable the cascade permissions, then expand **Actions**, and then choose **Set cascade permissions to true**. The selected users will have permissions granted by this policy in all child domain units under this domain unit. Or you can choose the user(s) for which you want to disable the cascade permissions, then expand **Actions**, and set **Set cascade permissions to false**. To view examples of project membership policies in domain unit hierarchies, see [Project membership policy in the hierarchy of domain units in Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/projectmembershippolicy.html) in the Amazon Amazon DataZone User Guide. # Assign authorization policies to projects within an Amazon SageMaker Unified Studio domain unit Assign authorization policies to projects within a domain unit In Amazon SageMaker Unified Studio, domain units enable you to organize your assets and other domain entities under specific business units and teams. For more information, see [Amazon SageMaker Unified Studio terminology and concepts](concepts.md). In an Amazon SageMaker Unified Studio domain unit, you can assign the following authorization policies to your projects to grant these entities various authorization permissions within this domain unit: + Glossary creation policy + Metadata forms creation policy + Custom asset type creation policy To assign authorization policies to projects within a domain unit, complete the following procedure: 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Domain units**. 1. Navigate to the **Domain units** tab and choose the domain unit that you want to add an authorization policy grant in. 1. On the domain unit details page, choose the authorization policy that you want to assign to projects and then choose **Add project**. 1. Choose **Add policy grant**. 1. In the **Add projects** pop up window, do one of the following: + Choose **Selected projects in a domain unit**, specify projects to which you want to assign the selected authorization policy, and then choose **Add policy grant**. + Choose **All projects in a domain unit** and then choose **Add policy grant**. # Assign authorization policies to asset types Assign authorization policies to asset types In Amazon SageMaker Unified Studio, asset types define how assets are represented in the Amazon SageMaker catalog. An asset type defines the schema for a specific type of asset. You can complete the following procedure to assign authorization policies to asset types. Only domaint unit owners and project owners can edit asset types' usage permissions. Project contributors can view asset type usage permissions but they cannot edit them. 1. Navigate to Amazon SageMaker Unified Studio using the URL from your administrator and log in using your SSO or AWS credentials. 1. Choose **Govern**. 1. Choose **Asset types**. 1. Choose an existing asset type and then choose the **Permissions** tab. 1. Choose **Add usage permission**, and in the **Add projects and designations** pop up window, specify the authorized projects (you can choose **Select projects in a domain unit** or **All project in a domain unit**), the specific domain unit, and the allowed designations - which designations a project member must have to use this policy. You can choose **Owner** or **Contributor**. 1. Choose Add policy grant to save the changes and complete modifying the asset type usage permissions.