

本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 用於建立和管理 EMR Studio 的管理員許可
<a name="emr-studio-admin-permissions"></a>

本頁所述的 IAM 許可允許您建立和管理 EMR Studio。如需有關每個所需許可的詳細資訊，請參閱 [管理 EMR Studio 所需的許可](#emr-studio-admin-permissions-table)。

## 管理 EMR Studio 所需的許可
<a name="emr-studio-admin-permissions-table"></a>

下表列出了與建立和管理 EMR Studio 相關的操作。此資料表也會顯示每項操作所需的許可。

**注意**  
使用 IAM Identity Center 身分驗證模式時，只需要 IAM Identity Center 和 Studio `SessionMapping` 動作。


**用於建立和管理 EMR Studio 的許可**  

<table>
<thead>
  <tr><th>作業</th><th>許可</th></tr>
</thead>
<tbody>
  <tr><td>建立 Studio</td><td> <pre>"elasticmapreduce:CreateStudio", <br />"sso:CreateApplication",<br />"sso:PutApplicationAuthenticationMethod",<br />"sso:PutApplicationGrant",<br />"sso:PutApplicationAccessScope",<br />"sso:PutApplicationAssignmentConfiguration",<br />"iam:PassRole"</pre> </td></tr>
  <tr><td>描述 Studio</td><td> <pre>"elasticmapreduce:DescribeStudio",<br />"sso:GetManagedApplicationInstance"</pre> </td></tr>
  <tr><td>列出 Studio</td><td> <pre>"elasticmapreduce:ListStudios"</pre> </td></tr>
  <tr><td>刪除 Studio</td><td> <pre>"elasticmapreduce:DeleteStudio",<br />"sso:DeleteApplication",<br />"sso:DeleteApplicationAuthenticationMethod",<br />"sso:DeleteApplicationAccessScope",<br />"sso:DeleteApplicationGrant"</pre> </td></tr>
  <tr><td colspan="2">Additional permissions required when you use IAM Identity Center mode</td></tr>
  <tr><td>將使用者或群組指派給 Studio</td><td> <pre>"elasticmapreduce:CreateStudioSessionMapping",<br />"sso:GetProfile",<br />"sso:ListDirectoryAssociations",<br />"sso:ListProfiles",<br />"sso:AssociateProfile",<br />"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:ListInstances",<br />"sso:CreateApplicationAssignment",<br />"sso:DescribeInstance",<br />"organizations:DescribeOrganization",<br />"organizations:ListDelegatedAdministrators",<br />"sso:CreateInstance",<br />"sso:DescribeRegisteredRegions",<br />"sso:GetSharedSsoConfiguration",<br />"iam:ListPolicies"</pre> </td></tr>
  <tr><td>擷取特定使用者或群組的 Studio 指派詳細資訊</td><td> <pre>"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:DescribeApplication",<br />"elasticmapreduce:GetStudioSessionMapping"</pre> </td></tr>
  <tr><td>列出指派給 Studio 的所有使用者和群組</td><td> <pre>"elasticmapreduce:ListStudioSessionMappings"</pre> </td></tr>
  <tr><td>更新附接至指派給 Studio 的使用者或群組的工作階段政策</td><td> <pre>"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:DescribeApplication",<br />"sso:DescribeInstance",<br />"elasticmapreduce:UpdateStudioSessionMapping"</pre> </td></tr>
  <tr><td>從 Studio 中移除使用者或群組</td><td> <pre>"elasticmapreduce:DeleteStudioSessionMapping",<br />"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:ListDirectoryAssociations",<br />"sso:GetProfile",<br />"sso:DescribeApplication",<br />"sso:DescribeInstance",<br />"sso:ListProfiles",<br />"sso:DisassociateProfile",<br />"sso:DeleteApplicationAssignment",<br />"sso:ListApplicationAssignments"<br /></pre> </td></tr>
</tbody>
</table>


**若要建立具有 EMR Studio 管理員許可的政策**

1. 遵循[建立 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)中的指示，使用下列其中一個範例來建立政策。您需要的許可取決於 [EMR Studio 的身分驗證模式](emr-studio-authentication.md)。

   為這些項目插入您自己的值：
   + 取代 {{`<your-resource-ARN>`}} 以指定陳述式針對您的使用案例所涵蓋物件的 Amazon Resource Name (ARN)。
   + 將 {{<region>}} 取代為您計劃在其中建立 Studio 的 AWS 區域 代碼。
   + 將 {{<aws-account\_id>}} 取代為 Studio 的 AWS 帳戶 ID。
   + 將 {{<EMRStudio-Service-Role>}} 和 {{<EMRStudio-User-Role>}} 取代為 [EMR Studio 服務角色](emr-studio-service-role.md)和 [EMR Studio 使用者角色](emr-studio-user-permissions.md#emr-studio-create-user-role)的名稱。  
**Example 範例政策：使用 IAM 身分驗證模式時的管理員許可**  

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:elasticmapreduce:*:123456789012:studio/*"
         ],
         "Action": [
           "elasticmapreduce:CreateStudio",
           "elasticmapreduce:DescribeStudio",
           "elasticmapreduce:DeleteStudio"
         ],
         "Sid": "AllowELASTICMAPREDUCECreatestudio"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "*"
         ],
         "Action": [
           "elasticmapreduce:ListStudios"
         ],
         "Sid": "AllowELASTICMAPREDUCEListstudios"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:iam::123456789012:role/EMRStudioServiceRole"
         ],
         "Action": [
           "iam:PassRole"
         ],
         "Sid": "AllowIAMPassrole"
       }
     ]
   }
   ```

------  
**Example 範例政策：使用 IAM Identity Center 身分驗證模式時的管理員許可**  
**注意**  
Identity Center 和 Identity Center Directory API 不支援在 IAM 政策陳述式的資源元素中指定 ARN。若要允許存取 IAM Identity Center 和 IAM Identity Center Directory，下列許可能夠指定 IAM Identity Center 動作的所有資源 ("Resource":"\*")。如需詳細資訊，請參閱[適用於 IAM Identity Center Directory 的動作、資源和條件索引鍵](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssodirectory.html#awsssodirectory-actions-as-permissions)。

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:elasticmapreduce:*:123456789012:studio/*"
         ],
         "Action": [
           "elasticmapreduce:CreateStudio",
           "elasticmapreduce:DescribeStudio",
           "elasticmapreduce:DeleteStudio",
           "elasticmapreduce:CreateStudioSessionMapping",
           "elasticmapreduce:GetStudioSessionMapping",
           "elasticmapreduce:UpdateStudioSessionMapping",
           "elasticmapreduce:DeleteStudioSessionMapping"
         ],
         "Sid": "AllowELASTICMAPREDUCECreatestudio"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "*"
         ],
         "Action": [
           "elasticmapreduce:ListStudios",
           "elasticmapreduce:ListStudioSessionMappings"
         ],
         "Sid": "AllowELASTICMAPREDUCEListstudios"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:iam::123456789012:role/EMRStudio-SvcRole",
           "arn:aws:iam::123456789012:role/EMRStudio-User-Role"
         ],
         "Action": [
           "iam:PassRole"
         ],
         "Sid": "AllowIAMPassrole"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "*"
         ],
         "Action": [
           "sso:CreateApplication",
           "sso:PutApplicationAuthenticationMethod",
           "sso:PutApplicationGrant",
           "sso:PutApplicationAccessScope",
           "sso:PutApplicationAssignmentConfiguration",
           "sso:DescribeApplication",
           "sso:DeleteApplication",
           "sso:DeleteApplicationAuthenticationMethod",
           "sso:DeleteApplicationAccessScope",
           "sso:DeleteApplicationGrant",
           "sso:ListInstances",
           "sso:CreateApplicationAssignment",
           "sso:DeleteApplicationAssignment",
           "sso:ListApplicationAssignments",
           "sso:DescribeInstance",
           "sso:AssociateProfile",
           "sso:DisassociateProfile",
           "sso:GetProfile",
           "sso:ListDirectoryAssociations",
           "sso:ListProfiles",
           "sso-directory:SearchUsers",
           "sso-directory:SearchGroups",
           "sso-directory:DescribeUser",
           "sso-directory:DescribeGroup",
           "organizations:DescribeOrganization",
           "organizations:ListDelegatedAdministrators",
           "sso:CreateInstance",
           "sso:DescribeRegisteredRegions",
           "sso:GetSharedSsoConfiguration",
           "iam:ListPolicies"
         ],
         "Sid": "AllowSSOCreateapplication"
       }
     ]
   }
   ```

------

1. 將政策附接至 IAM 身分 (使用者、角色或群組)。如需相關指示，請參閱[新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
作業	許可
建立 Studio	"elasticmapreduce:CreateStudio", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:PutApplicationAssignmentConfiguration", "iam:PassRole"
描述 Studio	"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
列出 Studio	"elasticmapreduce:ListStudios"
刪除 Studio	"elasticmapreduce:DeleteStudio", "sso:DeleteApplication", "sso:DeleteApplicationAuthenticationMethod", "sso:DeleteApplicationAccessScope", "sso:DeleteApplicationGrant"
Additional permissions required when you use IAM Identity Center mode
將使用者或群組指派給 Studio	"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListInstances", "sso:CreateApplicationAssignment", "sso:DescribeInstance", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "sso:CreateInstance", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "iam:ListPolicies"
擷取特定使用者或群組的 Studio 指派詳細資訊	"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:DescribeApplication", "elasticmapreduce:GetStudioSessionMapping"
列出指派給 Studio 的所有使用者和群組	"elasticmapreduce:ListStudioSessionMappings"
更新附接至指派給 Studio 的使用者或群組的工作階段政策	"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:DescribeApplication", "sso:DescribeInstance", "elasticmapreduce:UpdateStudioSessionMapping"
從 Studio 中移除使用者或群組	"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:DescribeApplication", "sso:DescribeInstance", "sso:ListProfiles", "sso:DisassociateProfile", "sso:DeleteApplicationAssignment", "sso:ListApplicationAssignments"