Managing AWS Groups

Once you have connected EmpowerID to AWS, you can manage your AWS groups in EmpowerID. This includes creating new AWS groups, adding and removing AWS users to and from those groups, as well as deleting those groups.

This topic demonstrates managing AWS groups in EmpowerID and is divided into the following activities:

As prerequisites to managing AWS Groups in EmpowerID, you must have an AWS account and have created an AWS account store for that account in EmpowerID.

To create AWS Groups in EmpowerID

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to AWS Manager by expanding Pages and clicking AWS Manager.
  2. In AWS Manager, click the Groups tab and then click Create Group to initiate the Create Group workflow.
  3. In the General section of the Create Group page that appears, do the following:
    1. Type the name, logon name and display name for the group in the Name, Logon Name, and Display Name fields, respectively.
    2. AWS does not allow group names to contain spaces.
    3. Underneath Group Creation Location, click the Select a Location link and in the Location Selector that appears, search for and select your AWS location.
    4. Click Save to close the Location Selector.
    5. Select the Generic Group from the Group Type drop-down.
    6. Optionally, type any notes in the Notes field.
    7. Type a description for the group in the Description field. This field is required.
    8. Select Allow Join Requests to allow the group to appear in the IT Shop. Lave the option deselected if you do not want users to be able to request membership in the group.
    9. Select Auto-Accept Join or Leave Requests if you want to give users the ability to join or leave the group without requiring approval.

    Once you have completed the above, the General section of the form should look similar to the below image.

  4. In the Advanced section of the form, select whether you want to prevent the group from being deleted in EmpowerID.
  5. Once you have completed filling in the form, click Save to create the group.
  6. EmpowerID creates the group and opens the View page for the group.

  7. Expand the Advanced Options drop-down. You should see the AWS identifier for the group in the Distinguished Name field.

To verify the new Group in AWS

  1. From your Web browser log in to your AWS account as an administrator.
  2. From the AWS dashboard , click the Groups navigational link. You should see the group you just created in EmpowerID.

Managing AWS Groups

  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to AWS Manager by expanding Pages and clicking AWS Manager.
  2. In AWS Manager, click the Groups tab and search for the group in which you want to add members.
  3. Click the Logon Name link for that group.
  4. This directs you to the View One page for the group. View one pages allow to view and edit the objects to which they are linked.

  5. From the View One page for the group, expand the Group Members accordion. The accordion displays current group members in the grid.
  6. You can add and remove members from the group as needed. To add a member, you type the name of an AWS user account in the Enter Search field and click the tile for that user account to select it.
  7. You can remove existing members by ticking the box to the left of the user account you want to remove.
  8. Notice that the Added and Removed flags have updated to show the number of user accounts being added and removed from the group.

    You can review what has been added and removed by clicking the drop-down arrow to the right of the flags.

  9. To submit your changes, click either of the Submit buttons. (If you have the drop-down opened, you can click the Submit there, or you can click the larger Submit button.)

To verify the changes to group membership in AWS

  1. From your Web browser log in to your AWS account as an administrator.
  2. From the AWS dashboard , click the Groups navigational link and look for the group whose membership you changed.
  3. Click the record for that group.
  4. AWS directs you to the summary page for that group. You should see your changes in the Users pane.
  5. In the below image, we see one user, "jappleseed." This is the user we added to the group above. Additionally, the user we removed, "dan_test", is no longer a member of the group.

To delete an AWS group in EmpowerID

An AWS groups with members cannot be deleted. Before attempting to delete an AWS group in EmpowerID, be sure to remove any members from that group first.
  1. From the Navigation Sidebar of the EmpowerID Web interface, navigate to AWS Manager by expanding Pages and clicking AWS Manager.
  2. In AWS Manager, click the Groups tab and search for the group you want to delete. The group cannot have any members.
  3. Click the record for that group to select it and then click the Delete Group action link.
  4. Click Yes to confirm you want to delete the group.
  5. If you left Wait to see results selected, click OK to close the Operation Execution Summary.

To verify the group deletion in AWS

  1. From your Web browser log in to your AWS console as an administrator.
  2. From the AWS console, select Identity & Access Management.
  3. Click the Groups navigational link and search for the group you just deleted. You should no results.
EmpowerID keeps a log of all AWS actions performed in EmpowerID, including what was done, when it was done and who did it. To view these logs, navigate to Change Manager by expanding System Logs in the Navigation Sidebar and clicking Audit Log. Once in Change Manager, search for AWS to filter the changes displayed.