# Managing Portfolios
You create, view, and update portfolios on the **Portfolios** page in the AWS Service Catalog administrator console.
**Topics**
+ [Creating, Viewing, and Deleting Portfolios](#portfoliomgmt-menu)
+ [Viewing Portfolio Details](#portfoliomgmt-portdetails)
+ [Creating and Deleting Portfolios](portfoliomgmt-create.md)
+ [Adding products](portfoliomgmt-products.md)
+ [Adding Constraints](portfoliomgmt-constraints.md)
+ [Granting Access to Users](catalogs_portfolios_users.md)
+ [Sharing a Portfolio](catalogs_portfolios_sharing_how-to-share.md)
+ [Sharing and Importing Portfolios](catalogs_portfolios_sharing.md)
## Creating, Viewing, and Deleting Portfolios
The **Portfolios** page displays a list of the portfolios that you have created in the current region. Use this page to create new portfolios, view a portfolio's details, or delete portfolios from your account.
**To view the **Portfolios** page**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Select a different region as necessary.
1. If you are new to AWS Service Catalog, you see the AWS Service Catalog start page. Choose **Get started** to create a portfolio. Follow the instructions to create your first portfolio, and then proceed to the **Portfolios** page.
While using AWS Service Catalog, you can return to the **Portfolios** page at any time; choose **Service Catalog** in the navigation bar and then choose **Portfolios**.
## Viewing Portfolio Details
In the AWS Service Catalog administrator console, the **Portfolio details** page lists the settings for a portfolio. Use this page to manage the products in the portfolio, grant users access to products, and apply TagOptions and constraints.
**To view the **Portfolio details** page**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose the portfolio that you want to manage.
# Creating and Deleting Portfolios
Use the **Portfolios** page to create and delete portfolios.
**To create a new portfolio**
1. In the left navigation menu, choose **Portfolios**.
1. Choose **Create portfolio**.
1. On the **Create portfolio** page, enter the requested information.
1. Choose **Create**. AWS Service Catalog creates the portfolio and displays the portfolio details.
**To delete a portfolio**
**Note**
You can only delete *local* portfolios. You can remove *imported* (shared) portfolios, but you cannot delete imported portfolios.
Before you can delete a portfolio, you must remove all its products, constraints, groups, roles, users, shares, and TagOptions. To do so, open a portfolio to display **Portfolio details**. Then choose a tab to remove them.
**Note**
To avoid errors, remove the constraints from the portfolio *before* you remove any products.
1. In the left navigation menu, choose **Portfolios**.
1. Select the portfolio you want to delete.
1. Choose **Delete**. You can only delete *local* portfolios. If you are attempting to delete an *imported* (shared) portfolio, the **Actions** menu is not available.
1. In the confirmation window, choose **Delete**.
# Adding products
You can add products to a portfolio by uploading a new product directly to an existing portfolio or by associating an existing product from your catalog to the portfolio.
**Note**
When you create a AWS Service Catalog product, you can upload an CloudFormation template or Terraform configuration file. The CloudFormation template is stored in an Amazon Simple Storage Service (Amazon S3) bucket, and the bucket name begins with "***cf-templates-***." You also must have permission to retrieve objects from additional buckets when provisioning a product. For more information, see [Creating products](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/productmgmt-cloudresource.html#productmgmt-cloudresource-troubleshooting).
## Adding a new product
You add new products directly from the **Portfolio details **page. When you create a product from this page, AWS Service Catalog adds it to the currently selected portfolio.
**To add a new product**
1. Navigate to the **Portfolios** page, and then choose the name of the portfolio to which you want to add the product.
1. On the **Portfolio details** page, expand the **Products** section, and then choose **Upload new product**.
1. For **Enter product details**, enter the following:
+ **Product name** – The name of the product.
+ **Product description **(optional) – The product description. This description is shown in the product listing to help you choose the correct product.
+ **Description** – The full description. This description is shown in the product listing to help you choose the correct product.
+ **Owner or Distributor** – The name or email address of the owner. The contact information for the distributor is optional.
+ **Vendor** (optional) – The name of the application's publisher. This field allows you to sort the products list to make it easier to find products.
1. On the **Version details** page, enter the following:
+ **Choose template** – For CloudFormation products, choose your own template file, an CloudFormation template from a local drive or a URL that points to a template stored in Amazon S3, an existing CloudFormation Stack ARN template, or a template file stored in an external repository.
For Teraform products, choose your own template file, a tar.gz configuration file from a local drive or a URL that points to a template stored in Amazon S3, or a tar.gz configuration file stored in an external repository.
+ **Version name** (optional) – The name of the product version (e.g., "v1", "v2beta"). No spaces are allowed.
+ **Description** (optional) – A description of the product version including how this version differs from the previous version.
1. For **Enter support details**, enter the following:
+ **Email contact** (optional) – The email address for reporting issues with the product.
+ **Support link** (optional) – An URL to a site where users can find support information or file tickets. The URL must begin with `http://` or `https://`. Administrators are responsible for maintaining the accuracy and access of support information.
+ **Support description** (optional) – A description of how you should use the **Email contact** and **Support link**.
1. Choose **Create product.**
## Adding an existing product
You can add existing products to a portfolio from three places: **Portfolios** list, **Portfolio details** page, or the **Product list **page.
**To add an existing product to a portfolio**
1. Navigate to the **Portfolios** page.
1. Choose a portfolio. Then choose **Actions** - **Add product to portfolio**.
1. Choose a product, and then choose **Add product to portfolio**.
## Removing a product from a portfolio
When you no longer want to use a product, remove it from a portfolio. The product is still available in your catalog from the **Products** page, and you can still add it to other portfolios. You can remove multiple products from a portfolio at one time.
**To remove a product from a portfolio**
1. Navigate to the **Portfolios** page, and then choose the portfolio that contains the product. The **Portfolio details** page opens.
1. Expand the **Products** section.
1. Choose one or more products, and then choose **Remove**.
1. Confirm your choice.
# Adding Constraints
You should add constraints to control how users engage with products. For more information about the types of constraints that AWS Service Catalog supports, see [Using AWS Service Catalog Constraints](constraints.md).
You add constraints to products after they have been placed in a portfolio.
**To add a constraint to a product**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. Choose **Portfolios** and select a portfolio.
1. In the portfolio details page, expand the **Create constraint** section and choose **Add constraints**.
1. For **Product**, select the product to which to apply the constraint.
1. For **Constraint type**, choose one of the following options:
**Launch** – Allows you to assign an IAM role to the product that is used to provision the AWS resources. For more information, see [AWS Service Catalog Launch Constraints](constraints-launch.md).
**Notification** – Allows you to stream product notifications to an Amazon SNS topic. For more information, see [AWS Service Catalog Notification Constraints](constraints-notification.md).
**Template** – Allows you to limit the options that are available to end users when they launch the product. A Template consists of a JSON–formatted text file that contains one or more rules. Rules are added to the CloudFormation template used by the product. For more information, see [Template Constraint Rules](reference-template_constraint_rules.md).
**Stack Set** – Allows you to configure product deployment across accounts and regions using CloudFormation StackSets. For more information, see [AWS Service Catalog Stack Set Constraints](constraints-stackset.md).
**Tag Update** – Allows you to update tags after the product has been provisioned. For more information, see [AWS Service Catalog Tag Update Constraints.](https://docs.aws.amazon.com/servicecatalog/latest/adminguide/constraints-resourceupdate.html)
1. Choose **Continue** and enter the required information.
**To edit a constraint**
1. Sign in to the AWS Management Console and open the AWS Service Catalog administrator console at [https://console.aws.amazon.com/catalog/](https://console.aws.amazon.com/catalog/).
1. Choose **Portfolios** and select a portfolio.
1. In the **Portfolio details** page, expand the **Create constraint **section and select the constraint to edit.
1. Choose **Edit constraints**.
1. Edit the constraint as needed, and choose **Save**.
# Granting Access to Users
Give users access to portfolios through groups or roles. The best way to provide portfolio access for many users is to put the users in an IAM group and grant access to that group. That way you can simply add and remove users from the group to manage portfolio access. For more information, see [IAM users and groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html) in the *IAM User Guide*.
In addition to access to a portfolio, users must also have access to the AWS Service Catalog end user console. You grant access to the console by applying permissions in IAM. For more information, see [Identity and Access Management in AWS Service Catalog](controlling_access.md).
If you want to share a portfolio and its Principals with other accounts, you can associate Principal Names (groups, roles or users) with the Portfolio. Principal Names are shared with the Portfolio and used in recipient accounts to grant access to end users.
**To grant portfolio access to users or groups**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. From the navigation pane, choose **Administration**, and then choose **Portfolios**.
1. Choose a portfolio that you want to grant groups, roles, or users access to. AWS Service Catalog directs to the **Portfolio details** page.
1. On the **Portfolio details** page, choose the **Access** tab.
1. Under **Portfolio access**, choose **Grant access**.
1. For **Type**, choose **Principal Name**, and then select the **group/**, **role/**, or **user/**, Type. You can add up to 9 principal names.
1. Choose **Grant Access** to associate the principal to the current portfolio.
**To remove access to a portfolio**
1. On the **Portfolio details** page, choose a group, role, or user name.
1. Choose **Remove access**.
# Sharing a Portfolio
To enable a AWS Service Catalog administrator for another AWS account to distribute your products to end users, share your AWS Service Catalog portfolio with them using either account-to-account sharing or AWS Organizations.
When you share a portfolio using account-to-account sharing or Organizations, you are sharing a *reference* of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the *shared portfolio*, the original portfolio that you shared.
The recipient cannot change the products or constraints, but can add AWS Identity and Access Management access for end users.
**Note**
You cannot share a shared resource. This includes portfolios that contain a shared product.
## Account-to-account sharing
To complete these steps, you must obtain the account ID of the target AWS account. You can find the ID on the **My Account** page in the AWS Management Console of the target account.
**To share a portfolio with an AWS account**
1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. In the left navigation menu, choose **Portfolios** and then select the portfolio you want to share. In the **Actions** menu, select **Share**.
1. In **Enter account ID** enter the account ID of the AWS account that you are sharing with. (Optional) Select [TagOption Sharing](#tagoptions-share). Then, choose **Share**.
1. Send the URL to the AWS Service Catalog administrator of the target account. The URL opens the **Import Portfolio** page with the ARN of the shared portfolio automatically provided.
### Importing a Portfolio
If a AWS Service Catalog administrator for another AWS account shares a portfolio with you, import that portfolio into your account so that you can distribute its products to your end users.
You do not need to import a portfolio if the portfolio was shared through AWS Organizations.
To import the portfolio, you must get the portfolio ID from the administrator.
To view all imported portfolios, open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/). On the **Portfolios** page, select the **Imported** tab. Review the **Imported Portfolios** table.
## Sharing with AWS Organizations
You can share AWS Service Catalog portfolios using AWS Organizations.
First, you must decide if you're sharing from the management account or a delegated administrator account. If you don't want to share from your management account, register a delegated admin account that you can use for sharing. For more information, see [Register a delegated administrator](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-delegated-admin.html) in the *CloudFormation User Guide*.
Next, you must decide who to share to. You can share to the following entities:
+ An organization account.
+ An organizational unit (OU).
+ The organization itself. (This shares with every account in the organization.)
### Sharing from a management account
You can share a portfolio with an organization when you use your organizational structure or input the ID of an organizational node.
****To share a portfolio with an organization by using the organizational structure****
1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. On the **Portfolios** page, select the portfolio that you want to share. In the **Actions** menu, select **Share**.
1. Select **AWS Organizations** and filter into your organizational structure.
You can select the Root node to share the portfolio with your entire organization, a parent Organizational Unit (OU), a child OU, or an AWS account within your organization.
Sharing to a parent OU shares the portfolio to all accounts and child OU's within that parent OU.
You can select **View AWS accounts only** to see a list of all of the AWS accounts in your organization.
****To share a portfolio with an organization by entering the ID of the organizational node****
1. Open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).
1. On the **Portfolios** page, select the portfolio that you want to share. In the **Actions** menu, select **Share**.
1. Select **Organization Node**.
Select whether you want to share with your entire organization, an AWS account within your organization, or an OU.
Input the ID of the organizational node you selected, which you can find within the AWS Organizations console at[ https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).
### Sharing from a delegated administrator account
The management account of an organization can register and de-register other accounts as delegated administrators for the organization.
A delegated administrator can share AWS Service Catalog resources in their organization the same way a management account can. They are authorized to create, delete, and share portfolios.
To register or de-register a delegated administrator, you must use the API or CLI from the management account. For more information, see [RegisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) and [DeregisterDelegatedAdministrator](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*.
**Note**
Before you can designate a delegate , the administrator must call [https://docs.aws.amazon.com/servicecatalog/latest/dg/API_EnableAWSOrganizationsAccess.html](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_EnableAWSOrganizationsAccess.html).
The procedure for sharing a portfolio from a delegated administrator account is the same as sharing from a management account, as seen above in [Sharing from a management account](#sharing-from-master).
If a member is de-registered as a delegated administrator, the following occurs:
+ Portfolio shares that were created from that account are removed.
+ They can no longer create new portfolio shares.
**Note**
If the portfolio and shares created by a delegated administrator do not get removed after the delegated administrator is de-registered, register and de-register the delegated administrator again. This action removes the portfolio and shares created by that account.
### Moving accounts within your organization
If you move an account within your organization, the AWS Service Catalog portfolios shared with the account might change.
Accounts only have access to portfolios shared with their destination organization or organizational unit.
## Sharing TagOptions when sharing portfolios
As an administrator, you can create a share to include TagOptions. TagOptions are key-value pairs that enables administrators to:
+ Define and enforce the taxonomy for tags.
+ Define tag options and associate them to products and portfolios.
+ Share tag options associated with portfolios and products with other accounts.
When you add or remove tag options in the main account, the change automatically appears in recipient accounts. In recipient accounts, when an end user provisions a product with TagOptions, they must choose values for tags that become tags on the provisioned product.
In recipient accounts administrators can associate additional local TagOptions to their imported portfolio to enforce tagging rules that are specific to that account.
**Note**
To share a portfolio, you need the the consumer's AWS account ID. Find the AWS account ID in **My Account** in the console.
**Note**
If a TagOption has a single value, AWS automatically enforces that value during the provisioning process.
**To share TagOptions when sharing portfolios**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolios**, choose and open a portfolio.
1. Choose **Share** from the list above and then choose the **Share** button.
1. Choose to share with another AWS account or organization.
1. Enter the 12 digit account ID number, select **Enable**, and then choose **Share**.
The account you shared displays in the **Accounts shared with** section. It indicates whether TagOptions were enabled.
You can also update a portfolio share to include TagOptions. All TagOptions that belong to the portfolio and product now share to this account.
**To update a portfolio share to include TagOptions**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolio**, choose and open a portfolio.
1. Choose **Share** from the list above.
1. In **Accounts shared with**, choose an account ID and then choose **Actions**.
1. Select **Update unshare** or **Unshare**.
When you select **Update unshare**, choose **Enable** to initiate sharing TagOptions. The account you shared displays in the **Accounts shared with** section.
When you select **Unshare**, confirm you no longer want to share the account.
## Sharing Principal Names when sharing portfolios
As an administrator, you can create a Portfolio share that includes Principal Names. Principal Names are names for groups, roles and users that administrators can specify in a Portfolio, and then share with the portfolio. When you share the portfolio, AWS Service Catalog verifies if those Principal Names already exist. If they do exist, AWS Service Catalog automatically associates the matching IAM Principals with the shared Portfolio to grant access to users.
**Note**
When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is then shared with other accounts. For a user in a recipient account who is *not* a AWS Service Catalog Admin, but still has the ability to create Principals (Users/Roles), that user could create an IAM Principal that matches a principal name association for the portfolio. Although this user may not know which principal names are associated through AWS Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then AWS Service Catalog recommends using `PrincipalType` as `IAM`. With this configuration, the `PrincipalARN` must already exist in the recipient account before it can be associated.
When you add or remove Principal Names in the main account, AWS Service Catalog automatically applies those changes in the recipient account. Users in recipient account can then perform tasks based on their role:
+ **End users** can provision, update, and terminate the portfolio's product.
+ **Administrators** can associate additional IAM Principals to their imported portfolio to grant access to end users specific to that account.
**Note**
Principal Name Sharing is only available for AWS Organizations.
**To share Principal Names when sharing portfolios**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolios**, choose the portfolio you want to share.
1. In the **Actions** menu, choose **Share**.
1. Select an organization in AWS Organizations.
1. Select the entire **organization root**, an **organization unit (OU)**, or an **organization member**.
1. In **Share** settings, enable the **Principal sharing** option.
You can also update a portfolio share to include Principal Name sharing. This shares all Principal Names that belong to that portfolio with the recipient account.
**To update a portfolio share to enable or disable Principal Names**
1. In the left navigation menu, choose **Portfolios**.
1. In **Local portfolio**, choose the portfolio you want to update.
1. Choose the **Share** tab.
1. Select the share you want to update, and then chose **Share**.
1. Choose **Update share**, and then choose **Enable** to initiate Principal sharing. AWS Service Catalog then shares Principal Names in recipient accounts.
**Disable** Principal sharing if you want to stop sharing the Principal Names with recipient accounts.
### Using wildcards when sharing Principal Names
AWS Service Catalog supports granting portfolio access to IAM principals (user, group or role) names with wildcards, such as ‘\$1’ or ‘?’. Using wildcard patterns enables you to cover multiple IAM principal names at one time. The ARN path and principal name allow unlimited wildcard characters.
Examples of an **acceptable** wildcard ARN:
+ **arn:aws:iam:::role/ResourceName\$1\$1**
+ **arn:aws:iam:::role/\$1/ResourceName\$1?**
Examples of an **unacceptable** wildcard ARN:
+ **arn:aws:iam:::\$1/ResourceName**
In the IAM Principal ARN format (**arn:partition:iam:::resource-type/resource-path/resource-name**), valid values include **user/**, **group/**, or **role/**. The "?" and "\$1" are allowed only after the resource-type in the resource-id segment. You can use special characters anywhere within the resource-id.
The "\$1" character also matches the "/" character, allowing paths to be formed *within* the resource-id. For example:
**arn:aws:iam:::role/**\$1**/ResourceName\$1?** matches both **arn:aws:iam:::role/pathA/pathB/ResourceName\$11** and **arn:aws:iam:::role/pathA/ResourceName\$11**.
# Sharing and Importing Portfolios
To make your AWS Service Catalog products available to users who are not in your AWS accounts, such as users who belong to other organizations or to other AWS accounts in your organization, you share your portfolios with them. You can share in several ways, including account-to-account sharing, organizational sharing, and deploying catalogs using stack sets.
Before you share your products and portfolios to other accounts, you must decide whether you want to share a reference of the catalog or to deploy a copy of the catalog into each recipient account. Note that if you deploy a copy, you must redeploy if there are updates you want to propagate to the recipient accounts.
You can use stack sets to deploy your catalog to many accounts at the same time. If you want to share a reference (an imported version of your portfolio that stays in sync with the original), you can use account-to-account sharing or you can share using AWS Organizations.
To use stack sets to deploy a copy of your catalog, see [How to set up a multi-region, multi-account catalog of company standard AWS Service Catalog products](https://aws.amazon.com/blogs/mt/how-to-set-up-a-multi-region-multi-account-catalog-of-company-standard-aws-service-catalog-products/).
When you share a portfolio using account-to-account sharing or AWS Organizations, you allow a AWS Service Catalog administrator of another AWS account to import your portfolio into their account and distribute the products to end users in that account.
This *imported portfolio* isn't an independent copy. The products and constraints in the imported portfolio stay in sync with changes that you make to the *shared portfolio*, the original portfolio that you shared. The *recipient administrator*, the administrator with whom you share a portfolio, cannot change the products or constraints, but can add AWS Identity and Access Management (IAM) access for end users. For more information, see [Granting Access to Users](catalogs_portfolios_users.md).
The recipient administrator can distribute the products to end users who belong to their AWS account in the following ways:
+ By adding users, groups, and roles to the imported portfolio.
+ By adding products from the imported portfolio to a **local portfolio**, a separate portfolio that the recipient administrator creates and that belongs to their AWS account. The recipient administrator then adds users, groups, and roles to that local portfolio. Any constraints originally applied to products in the shared portfolio are also present in the local portfolio. The local portfolio recipient administrator can add additional constraints, but cannot remove the constraints that were originally imported from the shared portfolio.
When you add products or constraints to the shared portfolio or remove products or constraints from it, the change propagates to all imported instances of the portfolio. For example, if you remove a product from the shared portfolio, that product is also removed from the imported portfolio. It is also removed from all local portfolios that the imported product was added to. If an end user launched a product before you removed it, the end user's provisioned product continues to run, but the product becomes unavailable for future launches.
If you apply a launch constraint to a product in a shared portfolio, it propagates to all imported instances of the product. To override this launch constraint, the recipient administrator adds the product to a local portfolio and then applies a different launch constraint to it. The launch constraint that is in effect sets a launch role for the product.
A *launch role* is an IAM role that AWS Service Catalog uses to provision AWS resources (such as Amazon EC2 instances or Amazon RDS databases) when an end user launches the product. As an administrator, you can choose to designate a specific launch role ARN or a local role name. If you use the role ARN, the role will be used even if the end user belongs to a different AWS account than the one that owns the launch role. If you use a local role name, the IAM role with that name in the end user's account is used.
For more information about launch constraints and launch roles, see [AWS Service Catalog Launch Constraints](constraints-launch.md). The AWS account that owns the launch role provisions the AWS resources, and this account incurs the usage charges for those resources. For more information, see [AWS Service Catalog Pricing](https://aws.amazon.com/servicecatalog/pricing/).
This video shows you how to share portfolios across accounts in AWS Service Catalog.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/BVSohYOppjk)
**Note**
You cannot re-share products from a portfolio that has been imported or shared.
**Note**
Portfolio imports must occur in the same region between the management and dependent accounts.
## Relationship Between Shared and Imported Portfolios
This table summarizes the relationship between an imported portfolio and a shared portfolio, and the actions that an administrator who imports a portfolio can and can't take with that portfolio and the products in it.
| Element of Shared Portfolio | Relationship to Imported Portfolio | Recipient Administrator Can | Recipient Administrator Cannot |
| --- | --- | --- | --- |
| Products and product versions | Inherited. If the portfolio creator adds products to or removes products from the shared portfolio, the change propagates to the imported portfolio. | Add imported products to local portfolios. Products stay in sync with shared portfolio. | Upload or add products to the imported portfolio or remove products from the imported portfolio. |
| Launch constraints | Inherited. If the portfolio creator adds launch constraints to or removes launch constraints from a *shared product*, the change propagates to all imported instances of the product. If the recipient administrator adds an imported product to their *local* portfolio, that imported launch constraint is not carried over to the shared portfolio. | In a local portfolio, the administrator can apply launch constraints that affect the local launch of the product. | Add launch constraints to or remove launch constraints from the imported portfolio. |
| Template constraints | Inherited. If the portfolio creator adds a template constraint to or removes a template constraints from a shared product, the change propagates to all imported instances of the product. If the recipient administrator adds an imported product to a local portfolio, the imported template constraints are not carried over to the local portfolio. | In a local portfolio, the administrator can add template constraints that constrain the local product. | Remove the imported template constraints. |
| Users, groups, and roles | Not inherited. | Add users, groups, and roles that are in administrator's AWS account. | Not applicable. |