Standard Access Roles To help teams get started quickly, the Science Cloud automatically provisions standard, managed roles in all tenant accounts. These roles are designed to support common operational needs and map to standard cloud provider policies:
- Read-Only Access: For viewing resources without the ability to make changes.
- Power User Access: For developers and engineers who need broad access to build and deploy resources, but do not need to manage access controls.
- Administrative Access: For tenant leads requiring full control over their environment.
Default IAM Identity Center Roles
The Science Cloud provides three default IAM Identity Center managed roles, which are automatically available in all tenant accounts:
| Role Name | AWS Managed Policy |
|---|---|
| Tenant-Full-Read-Only | ReadOnlyAccess |
| Tenant-Project-Power-Users | PowerUserAccess |
| Tenant-Project-Admins | AdministratorAccess |
Reference Links: To view the specific permissions granted by these policies, refer to the official AWS documentation:
Important
...
Access Guidelines
- Centralized Access Management: Access to Science Cloud environments is federated and managed through NASA’s centralized identity systems. Initial team access
- Naming Convention: The
{Tenant}prefix in the role name is uniquely generated for every tenant account. - ARN Suffix: The Amazon Resource Name (ARN) for the IAM role includes a randomized suffix that is unique to each account. Access Management: The user groups corresponding to each role are managed in the Science Cloud's Entra ID identity provider. Initial membership for these groups
- is established during your account's creation or migration
- .
- Membership Changes: If
- If you need to add or remove team members from these groups
- your project, please open a support ticket with the Science Cloud service desk.
- Security Enforcement: To
- To ensure compliance with federal security policies, including strict Multi-Factor Authentication (MFA) security policies, creating new IAM users is strictly prohibited in tenant accounts. All permissions must be managed using IAM roles.
Custom Tenant Identity Center Roles
- requirements, access is managed exclusively through federated roles. The creation of local, un-federated users within tenant accounts is prohibited to maintain a secure perimeter.
Custom Access and Self-Management Some projects
...
have specific business requirements that necessitate
...
custom access controls. The Science Cloud fully supports custom role creation through a secure,
...
hybrid approach
...
that minimizes your ongoing dependence on
...
our support desk.
How the Hybrid Approach Works:
...
Instead of requiring a support ticket for every granular permission change, the Science Cloud provisions a secure, baseline access boundary for your team using automated deployment tools.
Once this secure framework is established and linked to your team's authorized identities, your project administrators gain the autonomy to securely create, manage, and delegate specific permissions within your own environment. This allows your team to operate agilely while remaining safely within the Science Cloud's overarching security guardrails
...
.