Interface AuthorizationIdentities

When true, grants this authorization to all domain users. Mutually exclusive with users, userIdentifiers, groups, and groupsIdentifiers — if all is set, individual principal fields should not be specified.

Use cases: Open access to all domain members; Unrestricted authorization scope

AWS: DataZone allUsersGrantFilter principal in authorization policies

Validation: Optional; boolean; mutually exclusive with individual principal fields

Group names to include as principals. Names must match entries in the domain's groups config. Resolved to group profile identifiers at deploy time.

Use cases: Team-based authorization; SSO group grants

AWS: DataZone group profile principals in authorization policies

Validation: Optional; string array; names must match domain groups keys

Group identifiers specified directly as name-to-identifier pairs, bypassing profile resolution. Use when the group identifier (SSO group ID) is known at config time.

Use cases: Direct identifier grants; Pre-resolved group references

AWS: DataZone group identifier principals in authorization policies

Validation: Optional; map of name to identifier string

User identifiers specified directly as name-to-identifier pairs, bypassing profile resolution. Use when the user identifier (IAM role ARN or SSO ID) is known at config time.

Use cases: Direct identifier grants; Pre-resolved user references

AWS: DataZone user identifier principals in authorization policies

Validation: Optional; map of name to identifier string

User names to include as principals. Names must match entries in the domain's users config. Resolved to user profile identifiers at deploy time.

Use cases: Named user authorization; IAM or SSO user grants

AWS: DataZone user profile principals in authorization policies

Validation: Optional; string array; names must match domain users keys