Standard Access Roles

To help teams get started quickly, the Science Cloud automatically provisions standard, managed roles in all tenant accounts. These roles are designed to support common operational needs and map to standard cloud provider policies:

  • Read-Only Access: For viewing resources without the ability to make changes.
  • Power User Access: For developers and engineers who need broad access to build and deploy resources, but do not need to manage access controls.
  • Administrative Access: For tenant leads requiring full control over their environment.


To view the specific permissions granted by these policies, refer to the official AWS documentation:


Important Access Guidelines

  • Centralized Access Management: Access to Science Cloud environments is federated and managed through NASA’s centralized identity systems. Initial team access is established during your account's creation.
  • Membership Changes: If you need to add or remove team members from your project, please open a support ticket with the Science Cloud service desk.
  • Security Enforcement: To ensure compliance with federal security policies, including strict Multi-Factor Authentication (MFA) requirements, access is managed exclusively through federated roles. The creation of local, un-federated users within tenant accounts is prohibited to maintain a secure perimeter.


Custom Access and Self-Management

Some projects have specific business requirements that necessitate custom access controls. The Science Cloud fully supports custom role creation through a secure, hybrid approach that minimizes your ongoing dependence on our support desk.

How the Hybrid Approach Works

Instead of requiring a support ticket for every granular permission change, the Science Cloud provisions a secure, baseline access boundary for your team using automated deployment tools.

Once this secure framework is established and linked to your team's authorized identities, your project administrators gain the autonomy to securely create, manage, and delegate specific permissions within your own environment. This allows your team to operate agilely while remaining safely within the Science Cloud's overarching security guardrails.

  • No labels