ECM Environment AD Group & Role Definitions

Role-based authentication and authorization for ECM LOB. Each role will have a 1:1 mapping to an AD group specific to the LOB.

SINGLE Account: For LOB with a single account (i.e., no environment label such as dev, test, prod)

ECMTenantSysOps: This role has a near-admin permission and represent the highest level of permission that can be given for a program managed account. This contains AWS Managed Policy "PowerUserAccess" and a custom defined policy for required IAM-related permissions

ECMTenantReadOnly: This is basically a read-only role and grants user permission to read only metadata for all AWS services. 

ECMTenantOps:This role has a custom defined policy which allows non-administrator within the account to permission certain operations functions.

MUTLIPLE Accounts: For LOB with multiple accounts with appropriate environment label such as dev, test or prod DEV or TEST accounts

ECMTenantDevSysOps: This role has a near-admin permission and represent the highest level of permission that can be given for a program managed account. This role has exact permission as ECMTenantSysOps but only intended to be used by developers only within a DEV or TEST account. This contains AWS Managed Policy "PowerUserAccess" and a custom defined policy for required IAM-related permissions

ECMTenantReadOnly: This is basically a read-only role and grants user permission to read only metadata for all AWS services.

ECMTenantSysOps: This role has a near-admin permission and represent the highest level of permission that can be given for a program managed account. This contains AWS Managed Policy "PowerUserAccess" and a custom defined policy for required IAM-related permissions

ECMTenantReadOnly: This is basically a read-only role and grants user permission to read only metadata for all AWS services.

ECMTenantOps: This role has a custom defined policy which allows non-administrator within the account to permission certain operations functions.