# Manage users that you add to Amazon Connect
Add users

As the admin one of your key responsibilities is to manage users, add users to Amazon Connect, give them their credentials, and assign the appropriate permissions so they can access the features needed to do their job.

The topics in this section explain how to add users using the Amazon Connect admin website. To manage users programmatically, see [User management actions](https://docs.aws.amazon.com/connect/latest/APIReference/users-api.html) in the *Amazon Connect API Reference Guide*. 

**Topics**
+ [Add users](user-management.md)
+ [Edit users in bulk](edit-users-in-bulk.md)
+ [View historical changes](view-historical-changes-user-records.md)
+ [Download users](download-user-records.md)
+ [Delete users](delete-users.md)
+ [Reset passwords](password-reset.md)
+ [Security profiles](connect-security-profiles.md)

# Add users to Amazon Connect
Add users

When you add users to Amazon Connect, you can configure them with information appropriate to their roles. For example, you specify their [security profile](connect-security-profiles.md), which indicates the tasks they can perform in Amazon Connect admin website. For agents you specify their [routing profile](routing-profiles.md), which indicates the contacts that can be routed to them.

This topic explains how to add users using the Amazon Connect admin website. To add users programmatically, see [CreateUser](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateUser.html) in the *Amazon Connect API Reference Guide*. To use the CLI, see [create-user](https://docs.aws.amazon.com/cli/latest/reference/connect/create-user.html).

## Add a user individually


1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/. Use an **Admin** account, or an account assigned to a security profile that has **Users - Create** permission.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**.

1. Choose **Add new users**.

1. Choose **Create and set up a new user** and then choose **Next**.

1. Enter the name, email address, secondary email address, mobile number, and password for the user.
**Note**  
SAML users don't have primary email addresses, they have username logins. A username login is typically an email address but it doesn't have to be. For these users the field label **Email address** is empty inside Amazon Connect. When email notifications are sent for SAML users, they must have a secondary email configured in order to get it. If a secondary email is not configured, the user won't receive the email.
**Tip**  
Mobile number is not currently used by Amazon Connect.

1. Choose a routing profile and a security profile.

1. Optionally, add tags to identify, organize, search for, filter, and control who can access this hours of operation record. For more information, see [Add tags to resources in Amazon Connect](tagging.md).

1. Choose **Save**. If the Save button isn't active, it means you're logged in with an Amazon Connect account that doesn't have the required security profile permissions. 

   To fix this issue, log in with an account that is assigned to the Amazon Connect Admin security profile. Or, ask another Admin to help. 

1. For information about adding agents, see [Configure agent settings in Amazon Connect](configure-agents.md). 

## Add users in bulk from a .csv file
Add users in bulk

You can add up to 1000 users at a time by using a .csv file.

**Note**  
Avoid adding too many unique resources in the .csv file. For example, don't add more than 100 different routing profiles. This may cause a timeout or failure during the validation process.   
Bulk upload is for adding new records, not for editing existing records. To edit user records in bulk, see [Edit users in bulk in Amazon Connect](edit-users-in-bulk.md). 

Use these steps to add several users from a .csv file such as an Excel spreadsheet.

1. Log in to Amazon Connect with an **Admin** account, or an account assigned to a security profile that has **Users - Create** permission.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**.

1. Choose **Add new users**.

1. Choose **Import users using a .csv template** and then choose **.csv template**.

   The .csv template has the following columns in the first row:
   + first name
   + last name
   + user login
   + agent hierarchy
   + routing profile name
   + security\$1profile\$1name\$11\$1security\$1profile\$1name\$12
   + user\$1hierarchy\$11\$1user\$1hierarchy\$12
   + phone type (soft/desk)
   + phone number
   + tags
   + persistent connection
   + audio enhancement(none/isolate voice/suppress noise)

   The following image shows a sample of what the .csv template looks like in an Excel spreadsheet. The first row in the spreadsheet contains the column headings, and the second row contains sample user data.  
![\[The csv template in an Excel spreadsheet.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/add-bulk-users-2.png)

1. Add your users to the template and upload it to Amazon Connect. Choose **Upload file and verify**.

1. Amazon Connect validates the data in the file. Choose **Save** to create the new user records.   
![\[The uploaded users and Save button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/save-bulk-users.png)

   If you get a validation error message, it usually indicates that one of the required columns is missing information, or there's a typo in one of the cells. 

   The following image shows an example validation error message. In this case, the security profile was misspelled and a password didn't meet requirements.  
![\[A sample error message when the csv file is not valid.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/error-message-uploaded-csv-file.png)

1. To upload only the validated user records, choose **Save**. A dialog box prompts you for confirmation.  
![\[A dialog box to create a user.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-save-1.png)

1. A banner displays the status of the upload and confirms when it's complete. 
**Tip**  
While a batch of additions is being processed, you can continue working on the **User management** page, choosing another batch of user records to create, edit, or delete, in bulk or individually. This is useful for quickly updating settings such as routing profiles for groups of agents.  
Amazon Connect sequentially processes the records in bulk.

1. Choose **Refresh** to update the **User management** page with the users that have been created.  
![\[A banner that users have been created.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/save-bulk-users-banner.png)

## Required permissions for adding users


Before you can add users to Amazon Connect, you need the following permissions assigned to your security profile: **Users - Create**. The following image shows that this security profile permission is in the **Users and permissions** section of the **Add/Edit security profile** page. 

![\[The Users and permissions section of the security profile page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/security-profile-create-user-accounts.png)


By default, the Amazon Connect **Admin** security profile has these permissions.

For information about how to add more permissions to an existing security profile, see [Update security profiles in Amazon Connect](update-security-profiles.md).

# Edit users in bulk in Amazon Connect
Edit users in bulk

Bulk edit mode enables you to quickly edit the attributes that are common across user records, such as routing profiles, security profiles, and tags.

**Tip**  
While a batch of bulk edits is being processed, you can continue working on the **User management** page, such as selecting more records to edit or delete, in bulk or individually. This is useful for quickly updating settings, such as routing profiles for groups of agents.

1. Log in to Amazon Connect with an Admin account, or an account assigned to a security profile that has **Users - Edit** permission.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**. 

1. If needed, choose **Add filter** to specify a subset of users, such as users with a specific **Routing profile**. This option is shown in the following image.  
![\[The add filter option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-filter.png)

1. To quickly update a large number of users, at the bottom of the table choose to display **100** rows per page, as shown in the following image.  
![\[The rows per page dropdown box.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-rows-per-page.png)

1. To edit all the records on the page, choose the top box. Otherwise, select one or more records you want to edit at the same time. Choose **Edit**.  
![\[The User management page, emphasizing the top box, which selects all user records.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-edit-select.png)

1. On the **Bulk edit** page, in the **Settings** section, you can choose the following settings for all of the selected users:
   + Security profile
   + Routing profile
   + Phone type
   + Auto accept per channel
   + After Call Work (ACW) timeout per channel
   + Agent hierarchy, if this has been set up
   + Tags

1. Choose **Save** to apply your changes to the selected records.

1. While that batch of user records is being updated, you can continue working on the **User management** page, performing other create, edit, and delete tasks on user records.

## Perform other edit tasks while a batch of bulk edits is being processed
Perform other edit tasks while a batch of bulk edits is being processed

After saving an update for a group of users, you can either make additional changes on the **Bulk edit** page (for example, [edit other user details](#edit-other-user-details) such as contact information) or you can choose different user records to edit. 

**Important**  
As long as you remain on the **User management** page, your update request will continue to be processed. Review the messages at the top of the page for the status of the update.

The following image shows an example of message at the top of the **User management** page that Amazon Connect is updating a batch of user records. 

![\[A banner showing Amazon Connect in the process of updating a batch of user records.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-bulk-edit-banner3.png)


When you perform additional tasks on the **User management** page, Amazon Connect appends the next request to create, edit, or delete user records to the existing status message at the top of the page. Amazon Connect sequentially processes them in bulk.

Following are some tips about how Amazon Connect processes bulk edit requests.
+ If you choose **Cancel** during a bulk create, edit, or delete, **only those requests not yet processed are canceled**.
+ A message displays how many users were successfully updated. Choose **Refresh** to refresh the page with the list of the updated users.  
![\[The button to refresh the results of Amazon Connect processing bulk edit requests.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-bulk-cancel-refresh.png)
+ If some user records fail to be updated, a message similar to the following image is displayed:   
![\[A message showing that users failed to be updated.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-failed-edit.png)

  You have the following options:
  + Choose **download the CSV** to discover the reason changes weren't updated. In the following example, the agent hierarchy was deleted before the user records were saved.  
![\[A diagram showing why edits failed and the failed fields.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-failed-edit-reason.png)
  + Choose **Try again** to resubmit only those user records that failed. The others were already successfully updated. 
  + Choose **Edit** to be directed to the **Bulk edit** page so you can change the input for the user records that failed.  
![\[A diagram showing the Bulk edit option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-bulk-edit-fail-input.png)
  + Choose **Cancel** to not do anything with the 3 user records that weren't updated.

## Edit other user details
Edit other user details

You can page through selected user records to make updates to contact information, rather than choosing and opening each record individually. 

1. On the **Bulk edit** page, select the user records you want to edit. 

1. Choose the **Edit** (pencil) icon next to individual users to make updates.

1. A dialog box opens for the individual user. Make your changes, and choose **Submit**. 

1. If needed, choose **Previous** and **Next** to open the next user record in the list. The following image shows the **Edit** dialog box for a single user while in bulk edit mode.  
![\[The edit dialog box.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-bulk-single-edit.png)

## Edit user settings programmatically
Edit user settings programmatically

You can change the following values programmatically across selected users. The users are changed to the same value.


| Property | API | CLI | 
| --- | --- | --- | 
|  Routing profiles  |  [UpdateUserRoutingProfile](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateUserRoutingProfile.html)  | [update-user-routing-profiles](https://docs.aws.amazon.com/cli/latest/reference/connect/update-user-routing-profiles.html) | 
|  Security profiles  |  [UpdateUserSecurityProfiles](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateUserSecurityProfiles.html)  | [update-user-security-profiles](https://docs.aws.amazon.com/cli/latest/reference/connect/update-user-security-profiles.html) | 
|  Tags  |  [TagResource](https://docs.aws.amazon.com/connect/latest/APIReference/API_TagResource.html) [UntagResource](https://docs.aws.amazon.com/connect/latest/APIReference/API_UntagResource.html)  | [tag-resource](https://docs.aws.amazon.com/cli/latest/reference/connect/tag-resource.html) [untag-resource](https://docs.aws.amazon.com/cli/latest/reference/connect/untag-resource.html)  | 
|  User hierarchies  |  [UpdateUserHierarchy](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateUserHierarchy.html)  | [update-user-hierarchy](https://docs.aws.amazon.com/cli/latest/reference/connect/update-user-hierarchy.html) | 
|  User configuration  |  [UpdateUserConfig](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateUserConfig.html)  | [update-user-config](https://docs.aws.amazon.com/cli/latest/reference/connect/update-user-config.html) | 

You can edit the following identity and contact information programmatically for an individual user: first name, last name, email address, mobile number, secondary email address. Use the following API or CLI:


| Property | API | CLI | 
| --- | --- | --- | 
|  Identify and contact information  |  [UpdateUserIdentityInfo](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateUserIdentityInfo.html)  | [update-user-identity-info](https://docs.aws.amazon.com/cli/latest/reference/connect/update-user-identity-info.html) | 

# View historical changes to user records
View historical changes

1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/. Use an **Admin** account, or an account assigned to a security profile that has **Users and permissions - Users - View** permissions.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**.

1. On the **User management** page, choose **View historical changes**, as shown in the following image.  
![\[The user management page, with an arrow pointing to the View historical changes link.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-view-historical-changes.png)

1. On the **View recent changes for agent** page, there is one row for each time a user record was changed. In the following image, there are multiple rows for **johndoe** because that user record has been updated multiple times. 

   To view the past changes for a specific user, choose their user name.   
![\[The View recent changes for agent page, with an arrow pointing to the Resource name.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-view-recent-changes.png)

1. On the **View recent changes for [resource name]** page, you can view details about what has been changed in the user record, when, and who made the change, as shown in the following image.  
![\[The View recent change page, a list of recent changes to the user record for John Doe.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-view-recent-changes-johndoe.png)

# Download a user list from your Amazon Connect instance
Download users

You can export a list of users from Amazon Connect to a .csv file. The output is limited to the results that appear on the page; it does not include all the users, if you have more users than appear on the page.

1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/. Use an **Admin** account, or an account assigned to a security profile that has **Users and permissions - Users - View** permissions.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**.

1. Choose **Download CSV**.

# Delete users from your Amazon Connect instance
Delete users

**Important**  
You can't undo a deletion.
When a user is deleted from Amazon Connect, you won't be able to configure their agent settings any more. For example, you won't be able to assign a routing profile to them.
If you delete a user record that has an associated quick connect, you need to [delete the quick connect](quick-connects-delete.md), too. Otherwise it will be orphaned. When agents attempt to transfer calls to it, no one is there to answer the call. 
Orphaned quick connects can disrupt other Amazon Connect processes such as instance replication and syncing processes that are done as part of [Amazon Connect Global Resiliency](setup-connect-global-resiliency.md).

This topic explains how to delete user records using the Amazon Connect admin website. To delete user records programmatically, see [DeleteUser](https://docs.aws.amazon.com/connect/latest/APIReference/API_DeleteUser.html) in the *Amazon Connect API Reference Guide*. To use the CLI, see [delete-user](https://docs.aws.amazon.com/cli/latest/reference/connect/delete-user.html).

## What happens to the user's metrics?


The user's data in contact records and reports is retained. The data is preserved for the consistency of the historical metrics. For example, when you search for contact records, you'll still see the agent's username, any contact recordings involving the agent, etc.

In the historical metrics reports, the agent's data will be included in the **Agent performance** metrics report. However, you won't be able to see an **Agent activity audit** of the deleted agent because their name won't appear in the drop-down list. 

## How to delete users


**Tip**  
While a batch of deletions is being processed, you can continue working on the **User management** page, choosing another batch of user records to create, edit, or delete, in bulk or individually. This is useful for quickly updating settings such as routing profiles.
 

1. Log in to Amazon Connect using an **Admin** account, or an account assigned to a security profile that has **Users - Remove** permission.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**. Choose one or more users you want to delete, and then choose **Delete**.  
![\[The User management page, Delete option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/delete-users-how-to.png)

1. Confirm you want to delete the users.  
![\[The delete user page, Delete button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/delete-users-confirm.png)

1. The following image shows and example of the message when a user is deleted successfully. Choose **Refresh** to update the list of users on the **User management** page.  
![\[The delete user page, the refresh button.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/delete-users-refresh.png)

1. If Amazon Connect fails to delete one or more user records, it displays a message similar to the following image.   
![\[A banner that record was not deleted.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/delete-users-error.png)

   When you get a failed to delete message, you have the following options:
   + Choose **download the CSV** to view the error details. The following details show the user records had already been deleted. In this case, I hadn't refreshed the **User management** page and tried to delete the records again.   
![\[A list of reasons for records not being deleted.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/user-management-bulk-delete-fail-reasons.png)
   + Choose **Try again** to resubmit those records that failed to be deleted. The other records were successfully deleted.
   + Choose **Cancel** to not do anything with the user records that weren't deleted.

## Required permissions to delete users


Before you can update permissions in a security profile, you must be logged in with an Amazon Connect account that has the following permissions: **Users - Remove**.

![\[The users and permissions section of the security profiles page, Users option.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/delete-users-required-permissions.png)


By default, the Amazon Connect **Admin** security profile has these permissions.

# Reset a user's password for Amazon Connect
Reset passwords

**To reset a user's Amazon Connect password**

1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/. Use an Admin account, or a user account that has [security profile permissions](security-profile-list.md) to reset passwords.

1. In Amazon Connect, on the left navigation menu, choose **Users**, **User management**.

1. Select the user and choose **Edit**.

1. Choose **reset password**. Specify a new password and then choose **Submit**.

   Resetting the user's password will immediately log them out of the Contact Control Panel.

1. Communicate the new password to the user.

## Reset your own lost or forgotten Amazon Connect admin password

+ See [Emergency login to the Amazon Connect admin website](emergency-admin-login.md).

## Reset your own agent or manager password


Use the following steps if you want to change your password, or if you forgot it and need a new one.

1. If you're an Amazon Connect agent or manager, at the Amazon Connect login page, choose **Forgot Password**.

1. Type the characters you see in the image, and then choose **Recover Password**.

1. A message will be sent to your email address with a link that you can use to reset your password.

## Reset your own lost or forgotten AWS password

+ To reset the password you used when you first created your AWS account, see [Resetting a Lost or Forgotten Root User Password](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys_retrieve.html#reset-root-password) in the *IAM User Guide*. 

# Security profiles for Amazon Connect and Contact Control Panel (CCP) access
Security profiles

A security profile is a group of permissions that map to a common role in a contact center. For example, the Agent security profile contains permissions needed to access the Contact Control Panel (CCP).

Security profiles help you manage who can access the Amazon Connect dashboard and Contact Control Panel (CCP), and who can perform specific tasks. 

**Topics**
+ [

# Best practices for Amazon Connect and Contact Control Panel (CCP) security profiles
](security-profile-best-practices.md)
+ [

# Inherited permissions for Amazon Connect and Contact Control Panel (CCP) security profiles
](inherited-permissions.md)
+ [List of security profile permissions](security-profile-list.md)
+ [

# Default security profiles in Amazon Connect
](default-security-profiles.md)
+ [

# Assign a security profile for Amazon Connect to a contact center user
](assign-security-profile.md)
+ [

# Create a security profile in Amazon Connect
](create-security-profile.md)
+ [

# Update security profiles in Amazon Connect
](update-security-profiles.md)
+ [Apply tag-based access control](tag-based-access-control.md)
+ [Apply hierarchy-based access control](hierarchy-based-access-control.md)

# Best practices for Amazon Connect and Contact Control Panel (CCP) security profiles

+ Limit who has **Users - Edit or Create** permissions

  People with these permissions pose a risk to your contact center because they can do the following:
  + Reset passwords, including that of the administrator.
  + Grant other users permission to the Admin security profile. People assigned to the Admin security profile have full access to your contact center.

  Doing these things would enable someone to lock out those who need to access Amazon Connect, and allow in others who can steal customer data and damage your business. 

  To reduce the risk, as a best practice we recommend limiting the number of people who have **Users - Edit or Create** permissions.
+ [Use AWS CloudTrail](logging-using-cloudtrail.md) to log the requests and responses of [UpdateUserIdentityInfo](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateUserIdentityInfo.html). This enables you to track changes made to user information. Someone who has the ability to call the `UpdateUserIdentityInfo` API can change a user's email address to one owned by an attacker, and then reset the password through email. 
+ [Understand inherited permissions](inherited-permissions.md)

  Some security profiles included inherited permissions: when you assign dedicated permissions to one object, by default permissions are granted to sub-objects. For example, when you grant dedicated permission to edit users, you also grant them permission to list all security profiles for your Amazon Connect instance. This is because to edit users, the person has access to the drop-down list of security profiles. 

  Before assigning security profiles, review the list of inherited permissions.
+ **Understand the implications of [access control tags](https://docs.aws.amazon.com/connect/latest/adminguide/tag-based-access-control.html) before applying them to a security profile.** Applying access control tags is an advanced configuration feature that is supported by Amazon Connect and that follows the AWS shared responsibility model. Ensure that you have read the documentation and understand the implications of applying granular permission configurations. For more information, review the [AWS shared responsibilities model](https://aws.amazon.com/compliance/shared-responsibility-model/).
+ Track who accesses recordings.

   In the **Analytics and Optimization** permission group, you can enable a download icon for recorded conversations. When members of this group go to **Analytics and optimization**, **Contact search**, and then search contacts, they will see an icon to download recordings. 
**Important**  
This setting isn't a security feature. **Users who don't have this permission can still download recordings using other less-discoverable ways**.

  We recommend that you track who in your organization accesses recordings.

# Inherited permissions for Amazon Connect and Contact Control Panel (CCP) security profiles


Some security profiles included inherited permissions: when you give a user explicit permissions to **View** or **Edit** one resource type, such as queues, they implicitly inherit permissions to **View** another resource type, such as phone numbers.

For example, assume you explicitly grant someone permission to **Edit/View** queues, as shown in the following image: 

![\[The security profile permissions section of the security profiles page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/inherited-permissions.png)


By doing this you also implicitly grant them permissions to **View** a list of all phone numbers and hours of operation in your Amazon Connect instance, **when they add them to the queue**. On the **Add new queue** page, the available phone numbers and hours of operation appear in dropdown lists, as shown in the following image. 

![\[The add new queue page, the hours of operation dropdown list, the outbound caller id number dropdown list.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/drop-down-permissions.png)


However, the user doesn't have permissions to **Edit** the phone numbers and hours of operation. 

In this case, they also don't inherit permissions to **View** contact flows (the outbound whisper flow) and quick connects because those resources are optional.

## List of inherited permissions


The following table lists permissions that are implicitly inherited when you assign dedicated permissions to a user. 

**Tip**  
When a user has only explicit **View** permissions and not also **Edit** permissions, the objects are retrieved but Amazon Connect doesn't surface them in drop-down lists for the user to peruse.


| Dedicated permission | Inherited permissions | 
| --- | --- | 
|  Users - View or Edit  |  When someone edits a user's information in the Amazon Connect console, they can **view** the following information in drop-down boxes when they add it to the user's account:  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/inherited-permissions.html)  | 
|  Queues - View or Edit  | When someone edits queues in the Amazon Connect console, they can **view** the following information in drop-down and search boxes when they add it to the queue: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/inherited-permissions.html)  | 
|  Quick connects - View  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/inherited-permissions.html)  | 
|  Quick connects - Edit  |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/inherited-permissions.html)  | 
|  Phone numbers - View or Edit  |  When someone edits phone numbers in the Amazon Connect console (not the CCP), they can **view** the following information in a drop-down box when they associate it with the phone number:  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/inherited-permissions.html)  | 

# List of security profile permissions in Amazon Connect
List of security profile permissions

This topic is for administrators and contact center managers who assign and manage security profile permissions in Amazon Connect. 

Security profile permissions allow users access to perform specific tasks in the Amazon Connect admin website.

The following tables list: 
+ **UI name**: The name of the permission as it appears on the **Security profiles** page in Amazon Connect.
+ **API name**: The name of the permission when it is returned by the [ListSecurityProfilePermissions](https://docs.aws.amazon.com/connect/latest/APIReference/API_ListSecurityProfilePermissions.html) API.

  For a list of all APIs that you can use manage security profile permissions, see [Security profile actions](https://docs.aws.amazon.com/connect/latest/APIReference/security-profiles-api.html).
+ **Use**: The functionality granted by the permission.

## Amazon Q



| UI name | API name | Use | 
| --- | --- | --- | 
| AI agents  |  QConnectAIAgents.View QConnectAIAgents.Edit QConnectAIAgents.Create QConnectAIAgents.Delete  | [Create and manage AI agents](create-ai-agents.md).  | 
| AI prompts  |  QConnectAIPrompts.View QConnectAIPrompts.Edit QConnectAIPrompts.Create QConnectAIPrompts.Delete  | [Create and manage AI prompts](create-ai-prompts.md).  | 
| AI guardrails  |  QConnectGuardrails.View QConnectGuardrails.Edit QConnectGuardrails.Create QConnectGuardrails.Delete  | [Create and manage AI guardrails](create-ai-guardrails.md).  | 

## Routing



| UI name | API name | Use | 
| --- | --- | --- | 
| Routing profiles - Create  |  RoutingPolicies.Create  | [Create routing profiles](routing-profiles.md).  | 
| Routing profiles - Edit  |  RoutingPolicies.Edit  | Edit routing profiles.  | 
| Routing profiles - View  |  RoutingPolicies.View  | View routing profiles.  | 
| Quick connects - Create  |  TransferDestinations.Create  | [Create quick connects](quick-connects.md).  | 
| Quick connects - Delete  |  TransferDestinations.Delete  | [Delete quick connects](quick-connects-delete.md).  | 
| Quick connects - Edit  |  TransferDestinations.Edit  | Edit quick connects.  | 
| Quick connects - View  |  TransferDestinations.View  | View quick connects. Agents need this permission so they can view quick connects in the agent application to transfer calls.  | 
| Hours of operation - Create  |  HoursOfOperation.Create  | [Set hours of operation and timezone for a queue](set-hours-operation.md).   | 
| HoursOfOperation - Delete  |  HoursOfOperation.Delete  | Delete hours of operation and timezone for a queue.  | 
| HoursOfOperation - Edit  |  HoursOfOperation.Edit  | Edit hours of operation and timezone for a queue.  | 
| HoursOfOperation - View  |  HoursOfOperation.View  | View hours of operation and timezone for a queue.  | 
| Queues - Create  |  Queues.Create  | [Create queues](create-queue.md).  | 
| Queues - Edit  |  Queues.Edit  | Edit information for a queue, such as name, description, and hours of operation.  | 
| Queues - Enable / Disable  |  Queues.EnableAndDisable  | [Enable and disable queues](disable-a-queue.md) to quickly control the flow of contacts to queues temporarily.  | 
| Queues - View  |  Queues.View  | View a list of queues in your Amazon Connect instance.  | 
| Task templates - Create  |  TaskTemplates.Create  | [Create task templates](task-templates.md).  | 
| Task templates - Delete  |  TaskTemplates.Delete  | Delete task templates.  | 
| Task templates - Edit  |  TaskTemplates.Edit  | Edit task templates.  | 
| Task templates - View  |  TaskTemplates.View  | View task templates.  | 
| Predefined attributes - View  |  PredefinedAttributes.View  | View predefined attributes.  | 
| Predefined attributes - Edit  |  PredefinedAttributes.Edit  | Edit predefined attributes.  | 
| Predefined attributes - Create  |  PredefinedAttributes.Create  | [Create predefined attributes for routing contacts to agents](predefined-attributes.md).   | 
| Predefined attributes - Delete  |  PredefinedAttributes.Delete  | Delete predefined attributes.  | 
| Data tables - Create | DataTables.Create | [Create and configure data tables](data-tables.md). | 
| Data tables - Delete | DataTables.Delete | Delete data tables. | 
| Data tables - Edit | DataTables.Edit | Edit metadata and values for data tables. | 
| Data tables - View | DataTables.View | View data tables. | 
| Data tables - Manage values | DataTables.ManageValues | Manage data table values. | 
| Data tables - Edit expressions | DataTables.EditExpressionValues | Edit data table value expressions. | 

## Channels and flows



| UI name | API name | Use | 
| --- | --- | --- | 
| Prompts - Create |  Prompts.Create  | [Create prompts](prompts.md).  | 
| Prompts - Delete |  Prompts.Delete  | Delete prompts.  | 
| Prompts - Edit |  Prompts.Edit  | Edit prompts.  | 
| Prompts - View |  Prompts.View  | View a list of available prompts.  | 
| Flows - Create |  ContactFlows.Create  | [Create flows](create-contact-flow.md).  | 
| Flows - Remove |  ContactFlows.Delete  | [Delete flows](delete-contact-flow.md).  | 
| Flows - Edit |  ContactFlows.Edit  | Edit flows.  | 
| Flows - Publish |  ContactFlows.Publish  | Publish flows.  | 
| Flows - View |  ContactFlows.View  | View flows.  | 
| Flow modules - Create |  ContactFlowModules.Create  | [Create flow modules for reusable functions](contact-flow-modules.md).   | 
| Flow modules - Remove |  ContactFlowModules.Delete  | Delete flow modules.  | 
| Flow modules - Edit |  ContactFlowModules.Edit  | Edit flow modules.  | 
| Flow modules - Publish |  ContactFlowModules.Publish  | Publish flow modules.  | 
| Flow modules - View |  ContactFlowModules.View  | View flow modules.  | 
| Bots |  Bots.Create  | [Create a bot by using the Amazon Connect admin website](work-bot-building-experience.md).  | 
| Bots |  Bots.View Bots.Edit  | [Evaluate the performance of your conversational AI bot in Amazon Connect](lex-bot-analytics.md).   | 
| Bots |  Bots.Delete  | Remove a bot.  | 
| Phone numbers - Claim |  PhoneNumbers.Claim  | [Claim phone numbers](get-connect-number.md).  | 
| Phone numbers - Edit |  PhoneNumbers.Edit  | Edit phone numbers. [Attach a claimed or ported phone number to a flow in Amazon Connect](associate-claimed-ported-phone-number-to-flow.md).   | 
| Phone numbers - Release |  PhoneNumbers.Release  | [Release phone numbers back to inventory](release-phone-number.md).  | 
| Phone numbers - View |  PhoneNumbers.View  | View a list of phone numbers that have been claimed or ported to your Amazon Connect instance.  | 
| Communication widget - Enable/Disable |  ChatTestMode  | Access a simulated web page so users can [test the chat experience](chat-testing.md#test-chat). Also grant users the **Contactflow.View** permission so they can view and choose from a list of available flows in the **Test settings** option.  | 
| Email addresses |    | View  | 
| Email addresses |    | Edit  | 
| Email addresses |    | Create  | 
| Email addresses |    | Remove  | 
| Views - View |  Views.View  | Allow access to [Views](view-resources-sg.md).  | 
| Views - Edit |  Views.Edit  | Allow access to edit [Views](view-resources-sg.md).  | 
| Views - Create |  Views.Create  | Create custom [view](view-resources-custom-view.md) resources.  | 
| Views - Remove |  Views.Remove  | Remove View resources.   | 
| AnalyticsConnectors -Edit |  AnalyticsConnectors.Edit  | [Edit existing analytics connectors](contact-lens-integration.md).  | 
| AnalyticsConnectors - View  |  AnalyticsConnectors.View  | [View existing analytics connectors](contact-lens-integration.md).  | 

## Users and permissions



| UI name | API name | Use | 
| --- | --- | --- | 
| Users - Create |  Users.Create  | [Add users to Amazon Connect](user-management.md). We recommend you limit who has these permissions. They pose a risk to your contact center because they can do the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) Doing these things would enable someone to lock out those who need to access Amazon Connect, and allow in others who can steal customer data and damage your business.  You can limit this risk by adding [tag-based access control](tag-based-access-control.md) on the security profile. For example, you can apply tag-based access control to deny access to administrators and the Admin security profile.   | 
| Users - Delete |  Users.Delete  | [Delete users from Amazon Connect](delete-users.md).  | 
| Users - Edit |  Users.Edit  | View and edit all user identity information *except* for security profiles. As with **Users - Create**, limit who has these permissions because they pose a risk to your contact center.  | 
| Users - Edit permission |  Users.EditPermission  | View and edit user security profiles. As with **Users - Create**, limit who has these permissions because they pose a risk to your contact center.  | 
| Users - View |  Users.View  | View user records. [Download or export a list of users](download-user-records.md) from your Amazon Connect instance to a CSV file.  | 
| Agent hierarchy - Create |  AgentGrouping.Create  | [Create agent hierarchies](agent-hierarchy.md). Add groups, teams, and agents.  | 
| Agent hierarchy - Edit |  AgentGrouping.Edit  | Edit agent hierarchies and the hierarchy level structure.   | 
| Agent hierarchy - Enable/Disable |  AgentGrouping.EnableAndDisable  | View or edit agent hierarchy information.  | 
| Agent hierarchy - View |  AgentGrouping.View  | View the agent's hierarchy information in a real-time metrics report, which can include their location and skill set data.  | 
| Security profiles - Create |  SecurityProfiles.Create  | [Create security profiles](create-security-profile.md).  | 
| Security profiles - Delete |  SecurityProfiles.Delete  | Delete security profiles.  | 
| Security profiles - Edit |  SecurityProfiles.Edit  | [Update security profiles](update-security-profiles.md).  | 
| Security profiles - View |  SecurityProfiles.View  | View security profiles.  | 
| Agent status - Create |  AgentStates.Create  | [Create an custom agent status](agent-custom.md). The status appears in the Contact Control Panel (CCP), such as Break, Lunch, or Training.   | 
| Agent status - Edit |  AgentStates.Edit  | Edit a custom agent status.  | 
| Agent status - Enable/Disable |  AgentStates.EnableAndDisable  | View and edit custom agent states.  | 
| Agent status - View |  AgentStates.View  | [View an agent's status in the real-time metrics report](rtm-change-agent-activity-state.md) and historical metrics report. For example, if they are **Available**, **Offline**, or in a custom state. View their status in the [Agent activity report](agent-activity-audit-report.md).  | 
| Workspaces - Create | Workspaces.Create | [Set up workspaces for your admin website users](amazon-connect-workspaces.md). | 
| Workspaces - Delete | Workspaces.Delete | Delete workspaces. | 
| Workspaces - Edit | Workspaces.Edit | Edit workspaces. | 
| Workspaces - View | Workspaces.View | View workspaces. | 
| Workspaces - Assign | Workspaces.Assign | Assign workspaces to users and routing profiles. | 
| Workspaces - Edit visibility | Workspaces.EditVisibility | Edit workspaces to be visible to all users, no users, or based on assignments. | 

## Contact Control Panel (CCP)



| UI name | API name | Use | 
| --- | --- | --- | 
| Access Contact Control Panel |  BasicAgentAccess  | Manages access to the Contact Control Panel (CCP). Assign this permission to agents as well as managers who need to monitor live conversations.  | 
| Contact Lens data |  RealtimeContactLens.View  | Enables users to view real-time analytics provided by Contact Lens.  | 
| Make outbound calls |  OutboundCallAccess  | Grants users permissions to make outbound calls. For more information about setting up outbound calling, see [Set up outbound calling in Amazon Connect](outbound-communications.md).  | 
| Voice ID |  VoiceId.Access  | Enables controls in the Contact Control Panel so agents can: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html)  | 
| Restrict task creation |  RestrictTaskCreation.Access  | Block agents from being able to create tasks.   | 
| Audio device settings |  AudioDeviceSettings.Access  | [Choose your preferred device for speaker, microphone, and ringer in the Contact Control Panel (CCP) or agent workspace](audio-device-settings.md).   | 
| Video calls |  VideoContact.Access  | [Enable agents to use video calling and screen sharing](config-com-widget1.md#agent-cx-cw).   | 
| Initiate email conversation |  OutboundEmail.Create  | Allows agents to initiate an outbound email from the Contact Control Panel / Agent workspace without first receiving an email contact from a customer. Allows agents to forward email contacts to external email addresses or distribution lists. Allows agents to reply to closed email contacts.  | 
| Allow self assigning of contacts |  SelfAssignContacts.Access  | To self assign tasks, agents also need to have the **Restrict Task Creation** permission disabled and have tasks enabled as a channel within their assigned routing profile.   | 

## Analytics and Optimization



| UI name | API name | Use | 
| --- | --- | --- | 
| Access metrics |  AccessMetrics  | [Assign permissions to view dashboards and reports](dashboard-required-permissions.md).  | 
| Real-time metrics |  AccessMetrics.RealTimeMetrics.Access  | Manage access to the real-time metrics page.  | 
| Historical metrics |  AccessMetrics.HistoricalMetrics.Access  | Manage access to the historical metrics page.  | 
| Agent activity audit |  AccessMetrics.AgentActivityAudit.Access  | Manage access to the agent activity audit within the historical metrics page.  | 
| Dashboards |  AccessMetrics.Dashboards.Access  | [Dashboards in Amazon Connect for getting contact center performance data](dashboards.md) | 
| View my own data in dashboards - View |  AccessMetrics.DashboardsWithMyData.View  |  Grants access to the Dashboards to view individual agent performance metrics and the metrics of queues in the agent's routing profile. For more information, see [Agent workspace performance dashboard](performance-dashboard-aw.md).   | 
| Custom metrics |  CustomMetrics.Create CustomMetrics.View CustomMetrics.Edit CustomMetrics.Delete CustomMetrics.Publish  |  Grants access to [create and manage custom service level metric calculations](dashboard-customize-widgets.md#dashboard-custom-sl) for any widget on a dashboard.  | 
| Contact Search |  ContactSearch.View  | Access the **Contact search** page, which is where users can [search for contacts](contact-search.md) and see results on the **Contact details** page.  | 
| View my contacts |  MyContacts.View  | Allows agents to view contacts that they themselves had handled, on **Contact search** and **Contact details** pages.  | 
| Sample contacts |  ContactSearchSampleContacts.View  | Find a [random sample of contacts](random-sampling-of-contacts-for-evaluation.md) for evaluating agent performance and contact quality, e.g. 5 contacts per agent from last month.  | 
| Search contacts by conversation characteristics |  ContactSearchWithCharacteristics.Access  | Access to the Contact Lens filters that enable users to search by sentiment scores, non-talk time, and category.  | 
| Search contacts by conversation characteristics - View |  ContactSearchWithCharacteristics.View  | View the Contact Lens filters that enable users to search by sentiment scores, non-talk time, and category.   | 
| Search contacts by keywords |  ContactSearchWithKeywords.Access  | Search for contacts by keyword. On the **Contact Search** page, users can access additional filters that allow them to search Contact Lens transcripts by keywords or phrases, such as "thank you for your business."  | 
| Search contacts by keywords - View |  ContactSearchWithKeywords.View  | Search for contacts by keyword. On the **Contact Search** page, users can access additional filters that allow them to search Contact Lens transcripts by keywords or phrases, such as "thank you for your business."  | 
| Configure searchable contact attributes - View |  ConfigureContactAttributes.View  | Determine what custom attribute data will be searchable (by people who have the **Contact attributes** permission). It allows them to access the **Searchable custom contact attributes** page. For more information, see [Search for contacts in Amazon Connect by using custom contact attributes or contact segment attributes](search-custom-attributes.md).  | 
| Restrict contact access |  RestrictContactAccessByHierarchy.View  | Manage a user's access to results on the **Contact search** page based on their agent hierarchy group. For more information, see [Manage who can search for contacts and access detailed information](contact-search.md#required-permissions-search-contacts).  | 
| Contact attributes |  ContactAttributes.View  | View contact attributes. Also controls access to the search filters based on contact attributes. For more information, see [Search for contacts in Amazon Connect by using custom contact attributes or contact segment attributes](search-custom-attributes.md).  | 
| Contact Lens - conversational analytics - View |  GraphTrends.View  | On the **Contact details** page for a contact, users can view conversational analytics outputs such as graphs (on sentiment, talk time, and other various outputs), sentiment indicators, and contact category labels on conversation recordings and transcripts. Users can view data on the [Amazon Connect Contact Lens conversational analytics dashboard](contact-lens-conversational-analytics-dashboard.md).  | 
| Contact Lens - post-contact summary | ContactLensPostContactSummary.View | View post-contact summarization powered by generative artificial intelligence (generative AI) on the Contact Search and Contact Details pages. | 
| Contact Lens - custom vocabularies - Edit |  ContactLensCustomVocabulary.Edit  | [Add custom vocabularies](add-custom-vocabulary.md).   | 
| Contact Lens - custom vocabularies - View |  ContactLensCustomVocabulary.View  | [Download and view custom vocabularies](add-custom-vocabulary.md#view-custom-vocabulary).  | 
| Contact Lens - theme detection - Create |  ThemeDetection.Create  | [Create theme detection reports on the **Contact search** page](use-theme-detection.md).  | 
| Contact Lens - theme detection - View |  ThemeDetection.View  | View theme detection reports on the **Contact search** page.   | 
| Contact Lens - theme detection - Delete |  ThemeDetection.Delete  | Delete theme detection reports on the **Contact search** page.   | 
| Rules - Create |  Rules.Create  | [Create rules](connect-rules.md).   | 
| Rules - Delete |  Rules.Delete  | Delete rules.   | 
| Rules - Edit |  Rules.Edit  | Edit rules.   | 
| Rules - Generative AI |  RulesGenerativeAI.Create RulesGenerativeAI.View RulesGenerativeAI.Edit RulesGenerativeAI.Delete  | Manage rules that use generative AI. To create generative AI-powered rules, you additionally need the **Rules** permission.   | 
| Rules - View |  Rules.View  | View rules.   | 
| Login/Logout report - View |  AgentTimeCard.View  |  [View Login/Logout reports](login-logout-reports.md).   | 
| Real-time contact monitoring- Enable/Disable |  ManagerListenIn  | [Monitor live conversations](monitor-conversations.md) and [listen to recordings of past conversations](review-recorded-conversations.md). Be sure to assign managers to the Agent security profile so they can access the Contact Control Panel (CCP). This enables them to monitor the conversation through the CCP.  | 
| Real-time contact barge-in - Enable/Disable |  ManagerBargeIn  | Enables supervisors and managers to barge into live conversations between agents and customers. To learn more about Barge for live conversations, see [Barge into live voice and chat conversations between contact center agents and customers](monitor-barge.md).  | 
| Saved reports - View |  MetricsReports.View  | [View a shared report](view-a-shared-report.md).  | 
| Saved reports - Create |  MetricsReports.Create MetricsReports.Share  | [Create and share reports](share-reports.md).  | 
| Saved reports - Edit |  MetricsReports.Edit  | Edit save reports.  | 
| Saved reports - Delete |  MetricsReports.Delete  | Delete saved reports.  | 
| Saved reports - Publish |  MetricsReports.Publish  | [Publish reports](publish-reports.md) and [share reports](share-reports.md).  | 
| Saved reports - Schedule |  MetricsReports.Schedule MetricsReports.Publish ReportSchedules.Create ReportSchedules.Delete ReportSchedules.Edit ReportSchedules.View  | [Schedule a saved report](schedule-historical-metrics-report.md). By default, the user gets permission to create, delete, edit, and view a saved report.  | 
| Saved reports (admin) |  ReportsAdmin.View  ReportsAdmin.Delete   | [View and delete all saved reports in your instance, including those not created by you](manage-saved-reports-admin.md).  | 
| Evaluation forms - perform evaluations |   Evaluation.Create Evaluation.View  Evaluation.Edit Evaluation.Delete  | [Evaluate performance](evaluations.md).   | 
| Evaluation forms - manage form definitions |  EvaluationForms.Create EvaluationForms.View  EvaluationForms.Edit EvaluationForms.Delete  | [Create and manage evaluation forms](create-evaluation-forms.md).   | 
| Evaluation forms - ask AI assistant |  EvaluationAssistant.Access  | Access the **Ask AI** button while performing evaluations, enabling the user to get generative AI-powered recommendations for answers to questions in evaluation forms.  | 
| Evaluation forms - manage calibration sessions  |  EvaluationCalibrationSessions.Create EvaluationCalibrationSessions.Delete EvaluationCalibrationSessions.Edit EvaluationCalibrationSessions.View  | Create and manage calibration sessions to drive consistency and accuracy in how managers evaluate agent performance.  | 
| Coaching - my coaching sessions - View |  MyCoachingSessions.View  | View [coaching sessions](provide-coaching.md) where you are the coach or the participant. If you are the participant, you can acknowledge the coaching session with this permission.  | 
| Coaching - my coaching sessions - Create, Edit, Delete |  MyCoachingSessions.Create MyCoachingSessions.Delete MyCoachingSessions.Edit  | Create, edit or delete coaching sessions with yourself as the coach.  | 
| Coaching - manage coaching sessions |  CoachingSessions.Create CoachingSessions.Delete CoachingSessions.Edit CoachingSessions.View  | Access coaching sessions performed by yourself or others. This permission enables you to [create coaching](provide-coaching.md) with yourself or others as the coach.  | 
| Evaluation forms - review evaluations - Create |  EvaluationReviews.Create  | Perform evaluation reviews.  | 
| Evaluation forms - review evaluations - View |  EvaluationReviews.View  | View evaluation review drafts before they are finalized.  | 
| Evaluation forms - request evaluation reviews |  EvaluationReviewRequest.View EvaluationReviewRequest.Create EvaluationReviewRequest.Delete  | [Request evaluation reviews](evaluation-review-requests.md) if the evaluation form has review requests enabled.  | 
| Voice ID - attributes and search |  VoiceIdAttributesAndSearch.View  | Search for and view Voice ID results on the **Contact detail** page.  | 
| Forecasting - View |  Forecasting.View  | [Review contact volume and average handle time forecasts](inspect-forecast.md).  | 
| Forecasting - Edit |  Forecasting.Edit  |  [Create and edit contact volume and average handle time forecasts](create-forecasts.md).   | 
| Forecasting - Publish |  Forecasting.Publish  | [Publish a forecast in Amazon Connect](publish-forecast.md).  | 
| Capacity planning - View |  Capacity.View  | [Review capacity plan output in Amazon Connect](capacity-planning-review-output.md).  | 
| Capacity planning - Edit |  Capacity.Edit  | [Create capacity planning scenarios in Amazon Connect](capacity-planning-create-scenarios.md).  | 
| Capacity planning - Publish |  Capacity.Publish  | [Publish a capacity plan in Amazon Connect](publish-capacity-plan.md).  | 
| Forecast and schedule interval - Edit and View |  ForecastScheduleInterval.Edit  ForecastScheduleInterval.View  |  [Set the forecast and schedule interval in Amazon Connect](set-forecast-scheduling-interval.md).   | 

## Recordings and Transcripts



| UI name | API name | Use | 
| --- | --- | --- | 
| Call recordings (unredacted) - Access |  CallRecordings.Unredacted.Access  | On the **Contact details** and **Contact search** pages for a contact, view unredacted audio recordings. If you have BOTH **Call recordings (unredacted) - Access** and **Call recordings (redacted) - Access** permissions:  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) You cannot access both the redacted and unredacted version of a conversation at the same time.  | 
| Call recordings (redacted) - Access |  CallRecordings.Redacted.Access  | On the **Contact details** and **Contact search** pages for a contact, listen to call recordings in which the sensitive data has been redacted. | 
| Contact transcripts (unredacted) - Access |  ContactTranscripts.Unredacted.Access  | On the **Contact details** and **Contact search** pages for a contact, view unredacted chat and email conversations, and unredacted voice transcripts produced by Contact Lens. If you have BOTH **Contact transcripts (unredacted) - Access** and **Contact transcripts (redacted) - Access** permissions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) You cannot access both the redacted and unredacted version of a conversation at the same time.  | 
| Contact transcripts (redacted) - Access |  ContactTranscripts.Unredacted.Access  | On the **Contact details** and **Contact search** pages for a contact, view chat and voice transcripts in which the sensitive data has been redacted. | 
| Call recordings (unredacted) - Enable download button |  CallRecordings.Unredacted.DownloadButton  | Enables buttons to download call recordings when user is viewing the unredacted recording on the **Contact Search** and **Contact Details** pages. The **Enable download button** permission is selected by default when you select **Call recordings (unredacted)** permission, so the user can [download call recordings](download-recordings.md) through the Amazon Connect admin website.  This permission only controls the ability to view the download button. The user may still be able to download the contact recording without this permission if they have the **Call recordings (unredacted) - Access** permission.   | 
| Call recordings (redacted) - Enable download button |  CallRecordings.Redacted.DownloadButton  | Enables buttons to download call recordings when user is viewing the redacted recording on the **Contact Search** and **Contact Details** pages. The **Enable download button** permission is selected by default when you select **Call recordings (redacted)** permission, so the user can [download call recordings](download-recordings.md) through the Amazon Connect admin website.  This permission only controls the ability to view the download button. The user may still be able to download the contact recording without this permission if they have the **Call recordings (redacted) - Access** permission.   | 
| Contact transcripts (unredacted) - Enable download button |  ContactTranscripts.Unredacted.DownloadButton  | Enables buttons to download contact transcripts when user is viewing the unredacted transcript on the **Contact Search** and **Contact Details** pages. The **Enable download button** permission is selected by default when you select **Contact transcripts (unredacted)** permission so the user can [download call recordings](download-recordings.md) through the Amazon Connect admin website.  This permission only controls the ability to view the download button. The user may still be able to download the contact transcript without this permission if they have the **Contact transcript (unredacted) - Access** permission.  A button appears on the **Contact Search** and **Contact Details** pages to download unredacted transcripts for chat and email.  | 
| Delete recorded conversations |  DeleteCallRecordings  | Delete call recordings and contact transcripts | 
| Screen recording - Access |  ScreenRecording.Access  | Access the screen recording media player and view videos on the Contact details page.  Screen recording merges the screen recording video with the unredacted call recording file. If users have permission to view screen recordings, they can listen to the unredacted audio.   | 
| Automated interaction voice (IVR) recordings (unredacted) - Access |  AutomatedVoiceInteraction.Recordings.Unredacted.Access  |  Access voice recordings of automated interactions (with IVR, Amazon Lex or other bots). View the Play icon so users can listen to prompts while reviewing the automated interaction logs on the Amazon Connect admin website.  | 
| Automated interaction voice (IVR) recordings (unredacted) - Enable download button |  AutomatedVoiceInteraction.Recordings.Unredacted.DownloadButton  | Enables buttons to download and delete call recordings. The **Enable download button** permission is selected by default when you select the **Automated interaction voice (IVR) recordings** permission so the user can [download call recordings](download-recordings.md) through the Amazon Connect admin website. To perform a download, however, the user needs the **Automated interaction voice (IVR) recordings (unredacted) - Access** permission.  | 
| Automated interaction voice (IVR) transcripts (unredacted) |  AutomatedVoiceInteraction.Transcripts.Unredacted.Access  | Access human-readable logs of the IVR interaction including keypad inputs in response to IVR prompts, transcripts of Amazon Lex interactions, and more, on the **Contact details** and **Contact search** pages. | 

## Legacy permissions


The following table lists legacy permissions. You can not access these permissions through the Security Profiles page. 

 Existing security profiles that have these permissions will continue to work. However, note the following functionality: 
+  When you edit a security profile that contains legacy permissions, Amazon Connect automatically migrates the legacy permissions to the new corresponding permissions when you choose **Save** on the **Security Profiles** page. 
+ You can still add legacy permissions to security profiles by using the [CreateSecurityProfile](https://docs.aws.amazon.com/connect/latest/APIReference/API_CreateSecurityProfile.html) and [UpdateSecurityProfile](https://docs.aws.amazon.com/connect/latest/APIReference/API_UpdateSecurityProfile.html) APIs.


| UI name | API name | Use | 
| --- | --- | --- | 
| Recorded conversations (redacted) - View |  RedactedData.View  | On the **Contact Details** and **Contact Search** pages for a contact, listen to call recording files and view call transcripts in which the sensitive data has been removed.  If you edit a security profile containing the **Recorded conversations (redacted) - View** permission, it will automatically be migrated to contain the new corresponding permissions (**Call recordings (redacted) - Access** and **Contact transcripts (redacted) - Access**) when you choose **Save** on the **Security Profiles** page.  To grant access to redacted recorded conversations: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) You can access both newly migrated permissions in the **Recordings and Transcripts** section of the **Security Profiles** page.  | 
| Recorded conversations (unredacted) - View |  ListenCallRecordings  | On the **Contact details** and **Contact search** pages for a contact, view unredacted content that contains sensitive data, such as name and credit card information. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html)  If you edit a security profile containing the **Recorded conversations (unredacted) - View** permission, it will automatically be migrated to contain the new corresponding permissions (**Call recordings (unredacted) - Access** and **Contact transcripts (unredacted) - Access**) when you choose **Save** on the **Security Profiles** page.  To grant access to unredacted recorded conversations: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) You can access both newly migrated permissions in the **Recordings and Transcripts** section on the **Security Profiles** page. If you have both **Recorded conversations (redacted) - Access** and **Recorded conversations (unredacted) - Access** permissions, then: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) You cannot access both the redacted and unredacted version of a conversation at the same time.  | 
| Recorded conversations - Enable download button |  DownloadCallRecordings  | Enables buttons on the Amazon Connect admin website to download and delete call recordings. By default, the **Enable download button** permission is granted so the user can [download call recordings](download-recordings.md) through the Amazon Connect admin website. To perform a download, however, the user needs permissions to access a **Recorded conversation (unredacted)**.  If you edit a security profile that contains the **Recorded conversations (unredacted) - Enable download button** permission, it is automatically migrated to contain the new corresponding permissions (**Call recordings (unredacted) - Enable download button**, **Call recordings (redacted) - Enable download button**, and **Contact transcripts (unredacted) - Enable download button**) when you choose **Save** on the **Security Profiles** page.  To enable the download button for recorded conversations: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/security-profile-list.html) All newly migrated permissions are located in the **Recordings and Transcripts** section on the **Security Profiles** page.  | 

## Contact Actions



| UI name | API name | Use | 
| --- | --- | --- | 
| Allow 'Assign to Me' for any contact |  ManualAssignAnyContact.Enable  | This permission allows an Agent to View and manually assign any Contacts that are part of the Manual Assignment Queue.   | 
| Allow 'Assign to Me' for my contacts |  ManualAssignMyContacts.Enable  | This permission allows an Agent to View and manually assign any contacts that are part of the Manual Assignment Queue and the Agent is one of the Preferred Agents on the Contact.  | 
| Transfer Contact |  TransferContact.Enabled  | [Transfer contacts on Analytics and optimization pages](transfer-contacts-admin.md). Currently transfer of task contacts to quick connects is supported on the **Contact details** page.  | 
| End contact |  StopContact.Enabled  | [End contacts on Analytics and optimization pages](end-contacts-admin.md). Currently supported on the **Contact details** page.  | 
| Reschedule contact |  UpdateContactSchedule.Enabled  | [Reschedule previously scheduled contact on Analytics and optimization pages](reschedule-contacts-admin.md). Currently supported on the **Contact details** page for task contacts only.  | 

## Historical changes



| UI name | API name | Use | 
| --- | --- | --- | 
| View historical changes |  HistoricalChanges.View  | View historical changes on all Amazon Connect admin website pages that support historical changes.  | 

## Customer Profiles



| UI name | API name | Use | 
| --- | --- | --- | 
| Customer profiles - Create |  CustomerProfiles.Create  | [Create customer profiles in the agent application](ag-cp-create.md).  | 
| Customer profiles - Edit |  CustomerProfiles.Edit  | Edit customer profiles in the agent application.  | 
| Customer profiles - View |  CustomerProfiles.View  | View customer profiles in the agent application.  | 
| Calculated Attributes - Create |  CustomerProfiles.CalculatedAttributes.Create  | [Create calculated attributes](calculated-attributes-admin-website-create.md).   | 
| Calculated Attributes - Edit |  CustomerProfiles.CalculatedAttributes.Edit  | [Edit calculated attributes](calculated-attributes-admin-website-edit.md).   | 
| Calculated Attributes - Delete |  CustomerProfiles.CalculatedAttributes.Delete  | [Delete calculated attributes](calculated-attributes-admin-website-delete.md).   | 
| Calculated Attributes - View |  CustomerProfiles.CalculatedAttributes.View  | [View calculated attributes](calculated-attributes-admin-website-view.md).  | 
| Customer segments - View |  CustomerProfiles.Segments.View  | View all customer created segments. You can see segment details, the definitions that were created, and segment estimate counts.  | 
| Customer segments - Create |  CustomerProfiles.Segments.Create  | Create segment definitions based on all profile attributes on a Customer Profiles domain associated with this instance. `Create` permissions allow creating definitions based on existing profile attributes and their values. You can also use default and created calculated attributes in the segment definition.   | 
| Customer segments - Delete |  CustomerProfiles.Segments.Delete  | `Delete` permissions allows you to delete your Segment Definition.  | 
| Customer segments - Export |  CustomerProfiles.Segments.Export  | Export allows you to create an exported CSV of all the profile data from profiles in that segment. It also allows you to view underlying profile data once exported.  | 
| Profile explorer - View |  CustomerProfiles.ProfileExplorer.View  | View the profile explorer landing page and the default Domain layout.  | 
| Profile explorer - Create |  CustomerProfiles.ProfileExplorer.Create  | [Create a Domain layout](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-customer-profiles_CreateDomainLayout.html)  | 
| Profile explorer - Edit |  CustomerProfiles.ProfileExplorer.Edit  | [Edit a Domain layout](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-customer-profiles_UpdateDomainLayout.html)  | 
| Profile explorer - Delete |  CustomerProfiles.ProfileExplorer.Delete  | [Delete a Domain layout](https://docs.aws.amazon.com/connect/latest/APIReference/API_connect-customer-profiles_DeleteDomainLayout.html)  | 

## Scheduling



| UI name | API name | Use | 
| --- | --- | --- | 
| Schedule manager - View |  Scheduling.View  |  [View generated staff schedules in the Schedule manager user experience](scheduling-publish-schedule.md).   | 
| Schedule manager - Edit |  Scheduling.Edit  | [Create, edit schedule configuration and publish generated staff schedules](scheduling-publish-schedule.md).   | 
| Schedule manager - Publish |  Scheduling.Publish  | [Publish a schedule](scheduling-publish-schedule.md) by using Schedule Manager.  | 
| Published schedule calendar |  Scheduling.View  | [View](scheduling-view-schedule-staff.md) a schedule.   | 
| Time off requests - Approve, Edit, View |  TimeOff.Approve TimeOff.Edit TimeOff.View  | [Time off management](scheduling-time-off.md).   | 
| Time off balance - Edit, View |  TimeOffBalance.Edit TimeOffBalance.View  | [Time off management](scheduling-time-off.md).   | 
| Team calendar |  TeamCalendar.View  | [View published staff schedules in the Published Calendar user experience](scheduling-view-schedule-supervisors.md).   | 
| Team calendar |  TeamCalendar.Edit  | [Edit published staff schedules in the Published Calendar user experience](scheduling-view-schedule-supervisors.md).  | 

## Agent Applications



| UI name | API name | Use | 
| --- | --- | --- | 
| Agent application schedule calendar |  StaffCalendar.View StaffCalendar.Edit  | [Ability for agents to view their schedules](scheduling-view-schedule-agents.md). The **Edit** permission is required for agents to view and use the **Time off **widget on their schedule that they use to request time off. If they only have **View** permission, the **Time off** widget will not appear on their schedule. For an example image that shows the **Time off** widget on an agent's schedule, see [Agent initiated time off request](create-time-off-to.md#to-agent).  | 
| Custom views |  CustomViews.Access  | Use the [Agent Workspace guided experience](step-by-step-guided-experiences.md) guide.  | 
| Connect AI agents |  Wisdom.View  | [View real-time recommendations in the agent application](use-realtime-recommendations.md).  | 
| *<3p app name* - Access |  *<3p app name*.Access  | Allows agents to access a third-party application.  | 
| *Performance metrics* - Access |  Analytics.PerformanceMetrics.Access  | Displays the **Performance metrics** option in the **Apps** dropdown menu in the agent workspace. For more information, see [Agent workspace performance dashboard](performance-dashboard-aw.md).  | 
| *Worklist* - Access |  ManualAssignAnyContact.Enable ManualAssignMyContacts.Enable  | Allows Agents to view the Worklist App that will display Contacts that can be Manually assigned.  | 

## Content Management



| UI name | API name | Use | 
| --- | --- | --- | 
| Message templates - View |    | View a list of message templates in the Amazon Connect admin website.   | 
| Message templates - Edit |    | Edit message templates.   | 
| Message templates - Create |    | Create message templates.   | 
| Message templates - Delete |    | Delete message templates by using the Amazon Connect admin website.   | 
| Quick responses - Create |  ContentManagement.Create  | [Set up a knowledge base to store quick responses](setup-knowledgebase.md). [Create](create-quick-responses.md), [import](add-data.md), and [view the import history](view-import-history.md) of quick responses that are displayed in the agent application.   | 
| Quick responses - Edit |  ContentManagement.Edit  |  [Edit](edit-quick-responses.md), [import](add-data.md), and [view the import history](view-import-history.md) of quick responses that are displayed in the agent application.   | 
| Quick responses - View |  ContentManagement.View  | View a list of quick responses in the Amazon Connect admin website.  | 
| Quick responses - Delete |  ContentManagement.Delete  |  [Delete quick responses](delete-qr.md) by using the Amazon Connect admin website.  | 

## Cases



| UI name | API name | Use | 
| --- | --- | --- | 
| Audit History - View |  CaseHistory.View  | View the audit history of cases in the agent application.  | 
| Cases - Create |  Cases.Create  | [Create cases in the agent application](create-cases.md).   | 
| Cases - View |  Cases.View  | View cases in the agent application.  | 
| Cases - Edit |  Cases.Edit  | Edit cases in the agent application.  | 
| Case Fields - Create |  CaseFields.Create  | [Create case fields](case-fields.md).   | 
| Case Fields - View |  CaseFields.View  | View case fields.  | 
| Case Fields - Edit |  CaseFields.Edit  | Edit case fields.  | 
| Case Templates - Create |  CaseTemplates.Create  | [Create case templates](case-templates.md).   | 
| Case Templates - View |  CaseTemplates.View  | View case templates.  | 
| Case Templates - Edit |  CaseTemplates.Edit  | Edit case templates.  | 

## Outbound Campaigns



| UI name | API name | Use | 
| --- | --- | --- | 
| Campaigns - Create |  Campaigns.Create  | [Create outbound campaigns](how-to-create-campaigns.md).  | 
| Campaigns - Delete |  Campaigns.Delete  | Delete outbound campaigns.  | 
| Campaigns - Edit |  Campaigns.Edit  | Edit outbound campaigns.  | 
| Campaigns - Manage |  Campaigns.Delete  | Manage outbound campaigns.  | 
| Campaigns - View |     | View outbound campaigns.  | 

# Default security profiles in Amazon Connect


Amazon Connect includes default security profiles for general roles. You can review the permissions granted by these profiles and use them if they align with the permissions that your users need. Otherwise, create a security profile that grants your users only the permissions they need.

The following table lists the default security profiles.


| Security profile | Description | 
| --- | --- | 
|  **Admin**  | Grants administrators permission to perform a majority of actions.  | 
|  **Agent**  | Grants agents permission to access the CCP.  | 
|  **CallCenterManager**  |  Grants managers permission to perform actions related to user management, metrics, and routing.  | 
|  **QualityAnalyst**  | Grants analysts permission to perform actions related to metrics.  | 

**Note**  
New permissions are added on a regular basis. We recommend revisiting your permission configurations to ensure your users can access the latest Amazon Connect features.

# Assign a security profile for Amazon Connect to a contact center user


## Required permissions to assign security profiles
Required permissions

Before you can assign a security profile to a user, you must be logged in with an Amazon Connect account that has the **Users - Edit** permission, as shown in the following image. Or, if you're creating the user's account for the first time, you need **Users - Create** permission. 

![\[The users and permissions section of the security profiles page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/security-profile-assign-security-profile.png)


By default, the Amazon Connect **Admin** security profile has these permissions.

## How to assign security profiles
How to assign security profiles

1. Review [Best practices for Amazon Connect and Contact Control Panel (CCP) security profiles](security-profile-best-practices.md).

1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/.

1. Choose **Users**, **User management**.

1. Select one or more users and choose **Edit**.

1. For **Security Profiles**, add or remove security profiles as needed. To add a security profile, put your cursor in the field and select the security profile from the list. To remove a security profile, click the **x** next to its name. 

1. Choose **Save**.

# Create a security profile in Amazon Connect


Creating a security profile enables you to grant your users only the permissions that they need.

For each permission group, there is a set of resources and supported set of actions. For example, users are part of the **Users and permissions** group, which supports the following actions: view, edit, create, remove, enable/disable, and edit permission. 

Some actions depend on other actions. When you choose an action that depends on another action, the dependent action is automatically chosen and must also be granted. For example, if you add permission to edit users, we also add permission to view users.

## Required permissions to create security profiles
Required permissions

Before you can create a new security profile, you must be logged in with an Amazon Connect account that has **Security profiles - Create** permissions, as shown in the following image. 

![\[The users and permissions section of the security profiles page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/security-profile-create.png)


By default, the Amazon Connect **Admin** security profile has these permissions.

## How to create security profiles


1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/.

1. Choose **Users**, **Security profiles**.

1. Choose **Add new security profile**.

1. Type a name and description for the security profile.

1. Choose the appropriate permissions for the security profile from each permission group. For each permission type, choose one or more actions. Selecting some actions results in other actions being selected. For example, selecting **Edit** also selects **View** for the resource and any dependent resources.

1. Choose **Save**.

## Tag-based access controls
Tag-based access controls

You create a security profile with access control tags. Use these steps to create a security profile that enforces tag-based access controls.

1. Choose **Show advanced settings** at the bottom of the security profile.

1. In the **Access control** section, in the **Resources** box, enter the resources to be restricted using tags.  
![\[The access control section of the security profile page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tag-access-control-sp.png)

1. Enter the **Key** and **Value** combination for the resource tags that you want to restrict access to.

1. Ensure that you have enabled *View* permissions for the resources that you have selected.

1. Choose **Save**.

**Note**  
It is mandatory to specify both a resource type and an access control tag when configuring tag-based access controls. As a best practice, ensure that you have matching resource tags on a security profile that has tag-based access controls configured. To learn more about tag-based access controls in Amazon Connect, see [Apply tag-based access control in Amazon Connect](tag-based-access-control.md).

## Tag security profiles
Tag security profiles

You can create a new security profile with resource tags. Use these steps to add a resource tag to a security profile.

1. Choose **Show advanced settings** at the bottom of the security profile.

1. Enter a **Key** and **Value** combination to tag the resource, as shown in the following image.  
![\[The tags section of the security profiles page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/tag-securit-profiles-sp.png)

1. Choose **Save**.

For more information about tagging resources, see [Add tags to resources in Amazon Connect](tagging.md).

# Update security profiles in Amazon Connect


You can update a security profile at any time to add or remove permissions.

## Required permissions to update security profiles
Required permissions

Before you can update permissions in a security profile, you must be logged in with an Amazon Connect account that has the following permissions: **Security profiles - Edit**. 

![\[The users and permissions section of the security profiles page.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/security-profile-edit.png)


By default, the Amazon Connect **Admin** security profile has these permissions.

## How to update security profiles
How to update security profiles

1. Log in to the Amazon Connect admin website at https://*instance name*.my.connect.aws/. You must be logged in with an Amazon Connect account that has permissions to update security profiles.

1. Choose **Users**, **Security profiles**.

1. Select the name of the profile.

1. Update the name, description, permissions, access control, and resource tags as needed.

1. Choose **Save**.

**Note**  
Modifying the access control or resource tags on a security profile may impact the features or resources that a user with this security profile can access.

# Apply tag-based access control in Amazon Connect
Apply tag-based access control

You use tag-based access controls to configure granular access to specific resources based on assigned resource tags. You can configure tag-based access controls by using the API/SDK or the Amazon Connect admin website for supported resources.

## Apply tag-based access control using the API/SDK
Apply tag-based access control using the API/SDK

To use tags to control access to resources within your AWS accounts, you need to provide tag information in the condition element of an IAM policy. For example, to control access to your Voice ID domain based on the tags you've assigned to it, use the `aws:ResourceTag/key-name` condition key, along with a specific operator like `StringEquals` to specify which tag *key:value* pair must be attached to the domain, in order to allow given actions for it.

For more detailed information on tag-based access control, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.

## Apply tag-based access control using the Amazon Connect admin website
Apply tag-based access control using the Amazon Connect admin website

A *resource* tag is a custom metadata label that you can add to a resource in order to make it easier to identify, organize, and find in a search. You can apply tags programmatically using the Amazon Connect SDK/APIs, and for certain resources you can apply tags from within the Amazon Connect console. To learn more about resource tags, see [Add tags to resources in Amazon Connect](tagging.md).

An access control tag is similar to a resource tag in that it uses the same *Key:value* structure. However, the distinction with an access control tag is that it introduces authorization controls that limit a user’s access, to only specified resources containing resource tags with identical *Key:value* pairs. Access control tags are defined within security profiles, by first selecting the resource (routing profile, queue, users, etc.) for which to control access to, and then defining the *Key:value* pair to match on. Once a security profile with access control tags has been applied to a user, it will limit the user's access based on the defined combination of the selected resource(s) and access control tag(s) (*Key:value*). Without access control tags applied, a user will be able to see all resources if given permission to do so.

To use tags to control access to resources within the admin website of your Amazon Connect instance, you need to configure the access control section within a given security profile. For example, to control access to a routing profile based on the tags you've assigned to it, you would specify the routing profile as an access controlled resource, and then specify which tag *Key:value* pair you would like to enable access to.

## Configuration limitations
Configuration limitations

Access control tags are configured on a security profile. You can configure up to 4 access control tags on a single security profile. Adding additional access control tags will make that security profile more restrictive. For example, if you were to add two access control tags like `Department:X` and `Country:Y`, the user would only be able to see resources containing both tags.

Users can be assigned a maximum of three security profiles that contain access control tags. When multiple security profiles containing access control tags are assigned to a single user, the tag-based access controls become less restrictive. For example, if a user had one security profile with an access control tag like `Country:USA`, and another security profile with an access control tag like `Country:Argentina`, a user would be able to see resources tagged with `Country:USA` or `Country:Argentina`. A user can have other security profiles, as long as those additional security profiles do not contain tags. If multiple security profiles are present with overlapping resource permissions, the security profile without tag-based access controls will be enforced over the one with tag-based access controls.

Service linked roles are required in order to configure [resource tags](https://docs.aws.amazon.com/connect/latest/adminguide/tagging.html) or [access control tags](https://docs.aws.amazon.com/connect/latest/adminguide/tag-based-access-control.html). If your instance was created after October 2018, this will be available by default with your Amazon Connect instance. However if you have an older instance, refer to [Use service-linked roles for Amazon Connect](https://docs.aws.amazon.com/connect/latest/adminguide/connect-slr.html) for instructions for how to enable service linked roles.

## Best practices for applying tag-based access controls
Best practices

Applying tag-based access controls is an advanced configuration feature that is supported by Amazon Connect and that follows the AWS shared responsibility model. It is important to ensure that you are correctly configuring your instance to comply with your desired authorization needs. For more information, review the [AWS shared responsibilities model](https://aws.amazon.com/compliance/shared-responsibility-model/).

Ensure that you have enabled at least *view* permissions for the resources that you enable tag-based access control for. This will ensure that you avoid permission inconsistencies that result in denied access requests.

Tag-based access controls are enabled at the resource level, which means that each resource can be restricted independently. In certain use cases this may be acceptable but it is considered best practice to enable tag-based access controls to all resources together. For example, enabling access to users but not security profiles, would allow a user to create a security profile with privileges that supersede your intended user access control settings.

When logged in to the Amazon Connect console with tag-based access controls applied, users will not be able to access historical change logs for the resources that they are restricted on.

As a best practice, you should disable access to the following resources/modules when applying tag-based access controls within the Amazon Connect console. If you do not disable access to these resources, users with tag-based access controls on a particular resource that view these pages may see an unrestricted list of users, security profiles, routing profiles, queues, flows, or flow modules. For more information on how to manage permissions, see [List of security profile permissions in Amazon Connect](security-profile-list.md).


| Modules | Permission to disable access | 
| --- | --- | 
| Contact search | Contact Search | 
| Dashboard | Access metrics | 
| Flows | Flows - View | 
| Flow modules | Flow modules - View | 
| Forecasting | Forecasting | 
| Historical changes/Audit portal | Access metrics | 
| Hours of operation | Hours of operation - View | 
| Login/Login out report | Login/Logout report - View | 
| Outbound Campaign | Campaigns - View | 
| Prompts | Prompts - View | 
| Quick connect | Quick connects - View | 
| Rules | Rules - View | 
| Saved reports | Saved reports - View | 
| Scheduling | Schedule manager | 
| Scheduling | Published schedule calendar | 

# Apply hierarchy-based access control in Amazon Connect
Apply hierarchy-based access control

You can restrict access to contacts based on the agent hierarchy assigned to a user. You do this by using security profile permissions such as [Restrict contact access](contact-search.md#required-permissions-search-contacts). In addition to these permissions, you can also use hierarchies enforce granular access controls for resources such as users, and use tags. 

This topic information about configuring hierarchy-based access controls.

**Topics**
+ [

## Overview
](#hierarchy-based-access-control-background)
+ [

## Apply hierarchy-based access control using the API/SDK
](#hierarchy-based-access-control-api-sdk)
+ [

## Apply hierarchy-based access control using the Amazon Connect admin website
](#hierarchy-based-access-control-console)
+ [

## Configuration limitations
](#hierarchy-based-access-control-config-limitations)
+ [

## Best practices for applying hierarchy-based access controls
](#hierarchy-based-access-control-best-practices)

## Overview


Hierarchy-based access control enables you to configure granular access to specific resources based on the [agent hierarchy](agent-hierarchy.md) that is assigned to a user. You can configure hierarchy-based access controls by using the API/SDK or the Amazon Connect admin website. 

The only resource that supports hierarchy-based access control is users. This authorization model works with [tag-based access control](tag-based-access-control.md) so you can restrict access to users, allowing them to see only other users who belong to their same hierarchy group and who have specific tags associated to them.

**Note**  
After you apply hierarchy-based access control to users, they can access their hierarchy group and all of its descendants (beyond the child level).

## Apply hierarchy-based access control using the API/SDK


To use hierarchies to control access to resources within your AWS accounts, you need to provide the hierarchy's information in the condition element of an IAM policy. For example, to control access to a user belonging to a specific hierarchy, use the `connect:HierarchyGroupL3Id/hierarchyGroupId` condition key, along with a specific operator like `StringEquals` to specify which hierarchy group the user must belong to, in order to allow given actions for it. 

Following are the supported condition keys:

1. `connect:HierarchyGroupL1Id/hierarchyGroupId`

1. `connect:HierarchyGroupL2Id/hierarchyGroupId`

1. `connect:HierarchyGroupL3Id/hierarchyGroupId`

1. `connect:HierarchyGroupL4Id/hierarchyGroupId`

1. `connect:HierarchyGroupL5Id/hierarchyGroupId`

Each key represents the ID of a given hierarchy group in a specific level of the user's hierarchy structure.

## Apply hierarchy-based access control using the Amazon Connect admin website


 To use hierarchies to control access to resources the Amazon Connect admin website, you configure the access control section within a given security profile. 

 For example, to enable granular access control for a given user based on the hierarchy they belong to, you configure the user as an access controlled resource. To do this, you have the following two options:

1. Enforce hierarchy-based access control based on **the user's hierarchy**

   This option ensures that the user being given access can only manage users that belong to this hierarchy. For example, enabling this configuration for a given user enables them to manage other users that either belong to their hierarchy group or a child hierarchy group. 

1. Enforce hierarchy-based access control based on **a specific hierarchy **

   This option ensures that the user being given access can only manage users that belong to the hierarchy defined in the security profile. For example, enabling this configuration for a given user enables them to manage other users that either belong to the hierarchy group specified in the security profile or a child hierarchy group.

## Configuration limitations


 Granular access control is configured on a security profile. Users can be assigned a maximum of two security profiles that enforce granular access control. In this case, the permissions become less restrictive and act as a union of both permission sets. 

For example, if one security profile enforces hierarchy-based access control and another one enforces tag-based access control, the user is able to manage any user that belongs to the same hierarchy or tagged with the given tag. If both tag-based and hierarchy-based access control are configured as part of the same security profile, both conditions will need to be met. In this case, the user can only manage users that belong to the same hierarchy and who are tagged with a given tag. 

A user can have more than two security profiles, as long as those additional security profiles do not enforce granular access control. If multiple security profiles are present with overlapping resource permissions, the security profile without hierarchy-based access control is enforced over the one with hierarchy-based access control.

Service linked roles are required in order to configure hierarchy-based access control. If your instance was created after October 2018, this is available by default with your Amazon Connect instance. However, if you have an older instance, refer to [Use service-linked roles for Amazon Connect](connect-slr.md) for instructions for how to enable service linked roles.

## Best practices for applying hierarchy-based access controls

+ Review the [AWS shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/).

  Applying hierarchy-based access control is an advanced configuration feature that is supported by Amazon Connect and that follows the AWS shared responsibility model. It is important to ensure that you are correctly configuring your instance to comply with your desired authorization needs. 
+ Ensure that you have enabled at least *view* permissions for the resources that you enable hierarchy-based access control for. 

  This will ensure that you avoid permission inconsistencies that result in denied access requests. Hierarchy-based access controls are enabled at the resource level, which means that each resource can be restricted independently.
+ Carefully review the permissions that are granted when hierarchy-based access control is enforced.

  For example, enabling hierarchy restricted access to users and view/edit permissions security profiles would allow a user to create/update a security profile with privileges that supersede the intended user access control settings.
  + When logged in to the Amazon Connect console with hierarchy-based access controls applied, users will not be able to access historical change logs for the resources that they are restricted on. 
  +  When trying to assign a child resource to a parent resource with hierarchy-based access control on the child resource, the operation will be denied if the child resource does not belong to your hierarchy. 

    For example, if you try to assign a user to a quick connect but you don't have access to the user's hierarchy, the operation fails. This is however not true for disassociations. You are able to disassociate a user freely even with hierarchy-based access control enforced assuming you have access to the quick connect. This is because disassociations are about discarding an existing relation (as opposed to new associations) between two resources and is modeled as part of the parent resource (in this case, the quick connect), which the user already has access to. 
+ Be thoughtful about the permissions granted on parent resources since users could be disassociated without their supervisor’s knowledge.
+ Disable access to the following functionality when you apply hierarchy-based access controls in the Amazon Connect admin website.     
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/connect/latest/adminguide/hierarchy-based-access-control.html)

  If you do not disable access to these resources, users with hierarchy-based access controls on a particular resource that view these pages in the Amazon Connect admin website may see an unrestricted list of users. For more information about how to manage permissions, see [List of security profile permissions](security-profile-list.md).