AWS Chatbot is now Amazon Q Developer. [Learn more](service-rename.md)
# Amazon Q Developer in chat applications organization policies
Organization administrators can manage multiple Amazon Q Developer in chat applications settings across all accounts within an organization using Amazon Q Developer in chat applications chat applications policies (chat applications policies). Chat applications policies define where Amazon Q Developer in chat applications can deliver notifications and if it can respond to Amazon Q Developer in chat applications mention events. Using chat applications policies, administrators can:
+ Enforce which chat platforms can be used across your organization (Amazon Chime, Microsoft Teams, and Slack)
+ Restrict chat client access to specific workspaces and teams.
+ Restrict Slack channel visibility to either public or private channels.
+ Set and enforce specific role settings.
Chat applications policies restrict and take precedence over account level settings like [role settings](understanding-permissions.md#role-settings) and [Channel guardrail policies](understanding-permissions.md#channel-guardrails). Administrators can define rules in a policy and apply those rules to an entire organization or a group of accounts, referred to as OUs. For more information, see [Managing organizational units](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) in the *AWS Organizations User Guide*. You can access and modify these policies from the Amazon Q Developer in chat applications console or the AWS Organizations console. For more information about organization policies, see [Managing policies in AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) *AWS Organizations User Guide*.
If your users try to perform an action restricted by your chat applications policy, they are informed via error message that they are disallowed due to the policy and we recommend that they contact their organization administrator.
**Note**
Amazon Q Developer in chat applications organization policies are validated at runtime, so existing resources are continuously checked for compliance. There is no overlap with existing IAM permissions as there aren’t currently any runtime-based IAM permissions for sending notifications or interacting with Amazon Q Developer in chat applications.
**Note**
Chat application policies are limited to AWS account access to Amazon Q Developer in chat applications. These policies don't manage Amazon Q Business access from chat applications.
**Topics**
+ [
## Example Amazon Q Developer in chat applications organization policy
](#example-org-policy)
+ [
## Enabling chat applications policies
](#enable-org-pol)
+ [
## Disabling chat applications policies
](#disable-org-pol)
+ [
# Tutorial: Creating chat applications policies in Amazon Q Developer in chat applications
](org-policy-tutorial.md)
+ [
# Editing chat applications policies in Amazon Q Developer in chat applications
](edit-org-pol.md)
+ [
# Deleting chat applications policies in Amazon Q Developer in chat applications
](delete-org-pol.md)
## Example Amazon Q Developer in chat applications organization policy
The following policy allows restricted Amazon Q Developer in chat applications access for selected Slack workspaces and a Microsoft Teams tenant.
```
{
"chatbot":{
"platforms":{
"slack":{
"client":{
"@@assign":"enabled"
},
"workspaces": { // limit 255
"@@assign":[
"Slack-Workspace-Id1",
"Slack-Workspace-Id2"
]
},
"default":{
"supported_channel_types":{
"@@assign":[
"private"
]
},
"supported_role_settings":{
"@@assign":[
"user_role"
]
}
},
"overrides":{ // limit 255
"Slack-Workspace-Id2":{
"supported_channel_types":{
"@@assign":[
"public",
"private"
]
},
"supported_role_settings":{
"@@assign":[
"channel_role",
"user_role"
]
}
}
}
},
"microsoft_teams":{
"client":{
"@@assign":"enabled"
},
"tenants":{ // limit 36
"Microsoft-Teams-Tenant-Id":{ // limit 36
"@@assign":[
"Microsoft-Teams-Team-Id"
]
}
},
"default":{
"supported_role_settings":{
"@@assign":[
"user_role"
]
}
},
"overrides":{ // limit 36
"Microsoft-Teams-Tenant-Id":{
"Microsoft-Teams-Team-Id":{
"supported_role_settings":{
"@@assign":[
"channel_role",
"user_role"
]
}
}
}
}
}
},
"default":{
"client":{
"@@assign":"disabled"
}
}
}
}
```
**For Slack**
+ The Slack client is enabled.
+ The allowed Slack workspaces are *Slack-Workspace-Id1* and *Slack-Workspace-Id2*.
+ The default settings for Slack are to only allow private channels and User level IAM roles.
+ There is an override for the workspace *Slack-Workspace-Id2* that allows both public and private channels as well as both Channel level IAM roles and User level IAM roles.
**For Microsoft Team**
+ The Microsoft Teams is enabled.
+ The allowed Teams tenants are *Microsoft-Teams-Tenant-Id* with the team *Microsoft-Teams-Team-Id*.
+ The default settings are to only allow User level IAM roles.
+ There is an override for the tenant *Microsoft-Teams-Tenant-Id* that allows both Channel level IAM roles and User level IAM roles for the team *Microsoft-Teams-Team-Id*.
**Additional details**
+ The `default` block at the bottom sets the client to be disabled, which disables Amazon Q Developer in chat applications across the organization unless overridden at a lower level. This means Amazon Chime is disabled in this example. This default also disables any new chat platform that Amazon Q Developer in chat applications supports. For example, if Amazon Q Developer in chat applications supports a new chat platform, this default disables that newly supported chat platform as well.
## Enabling chat applications policies
Before you can create chat applications policies, you must first enable them using the AWS Organizations console. For more information, see [Enabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html#enable-policy-type) in the *AWS Organizations User Guide*.
## Disabling chat applications policies
If you no longer want to use chat applications policies in your organization, you can disable them to prevent accidental use. For more information, see [Disabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html#disable-policy-type) in the *AWS Organizations User Guide*.
# Tutorial: Creating chat applications policies in Amazon Q Developer in chat applications
In this tutorial, you use the Amazon Q Developer in chat applications console to create a chat applications policy that:
+ Restricts chat client access to Slack
+ Specifies usable Slack workspaces
+ Restricts usage to private channels
+ Requires user-level roles
Subsequently, all Amazon Q Developer in chat applications configurations in your organization must adhere to these specifications.
**Topics**
+ [
## Prerequisites
](#org-policy-tutorial-prq)
+ [
## Step 1: Create a new chat applications policy
](#org-policy-tutorial-s1)
+ [
## (Optional) Step 2: Testing your chat applications policy
](#org-policy-tutorial-s2)
## Prerequisites
You must have already created an organization using AWS Organizations. For more information, see [Managing an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org.html) in the *AWS Organizations User Guide*.
## Step 1: Create a new chat applications policy
**To create a new chat applications policy**
1. Open the Amazon Q Developer in chat applications console at [https://console.aws.amazon.com/chatbot/](https://console.aws.amazon.com/chatbot/).
1. In the left sidebar menu, choose **Organization settings**.
1. Choose **Chat applications policies**.
1. Choose **Create chat applications policies**.
1.
1.
**Enable Amazon Q Developer in chat applications Orgs policies:**
**Note**
Before you can create and attach a policy to your organization, you must enable that policy type for use. This is a one-time task on the organization root. You can enable a policy type from only the organization’s management account. For more information, see [Enabling and disabling policy types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html) in the *AWS Organizations User Guide*.
On the Chat applications policies page, choose **Enable**.
1.
1.
**Enter your policy **Details**:**
Enter a policy name.
1. (Optional) Enter a policy description.
1. (Optional) Add tags.
1.
1.
**Configure chat client access:**
In **Set Amazon Chime chat client access**, choose **Deny Chime access**.
1. In **Set Microsoft Teams client access**, choose **Deny access to all Teams**.
1. In **Set Slack chat client access**, choose **Restrict access to named Slack workspaces**:
1. Enter a Slack workspace ID.
**Tip**
You can find your workspace ID in the Amazon Q Developer in chat applications console by choosing the configured client in the left sidebar and looking under **Workspace details**.
1. (Optional) Choose **Add new workspace ID** to add another Slack workspace.
1. Choose **Add**.
1. Select **Enable usage to only private Slack channels**.
1.
1.
**Set IAM permission types:**
Select **Enable User level IAM role**.
1. Choose **Create policy**.
## (Optional) Step 2: Testing your chat applications policy
If you already have an Amazon Q Developer in chat applications configuration, you can sign in as a user in any of your member accounts and try to perform any of the following actions:
+ Create an Amazon Q Developer in chat applications configuration for Microsoft Teams
+ Create a Slack Amazon Q Developer in chat applications configuration for a workspace you didn't specify in your policy
+ Create a Slack Amazon Q Developer in chat applications configuration that uses a channel role
When you try to perform these actions, you should receive an error message that explains why you’re disallowed.
# Editing chat applications policies in Amazon Q Developer in chat applications
If you need to make changes to your chat applications policy, you can edit it.
**To edit chat applications policies**
1. Sign in to the Amazon Q Developer in chat applications console;
1. In the left sidebar meny, choose **Organization settings**.
1. Choose **Chat applications Policies**.
1. Select the name of the policy.
1. Choose **Edit policy**.
1. Make your edits.
1. Choose **Save changes**.
# Deleting chat applications policies in Amazon Q Developer in chat applications
If you no longer need a Chat applications policy, you can delete it.
**To delete chat applications policies**
1. Sign in to the Amazon Q Developer in chat applications console;
1. In the left sidebar meny, choose **Organization settings**.
1. Choose **Chat applications Policies**.
1. Select the name of the policy.
1. Choose **Delete policy**.
1. Confirm your deletion by entering the policy name.
1. Choose **Delete**.