After careful consideration, we decided to end support for Amazon FinSpace, effective October 7, 2026. Amazon FinSpace will no longer accept new customers beginning October 7, 2025. As an existing customer with an Amazon FinSpace environment created before October 7, 2025, you can continue to use the service as normal. After October 7, 2026, you will no longer be able to use Amazon FinSpace. For more information, see [Amazon FinSpace end of support](https://docs.aws.amazon.com/finspace/latest/userguide/amazon-finspace-end-of-support.html). 

# Identity and access management in Amazon FinSpace
Identity and access management in FinSpace

This section explains the identity management and authentication for Amazon FinSpace Managed kdb and Dataset browser.

## Identity management for Managed kdb


Amazon FinSpace Managed kdb uses AWS Identity and Access Management (IAM) policies to restrict access to operations.

Whenever you use IAM policies, ensure that you follow IAM best practices. For more information, see [Security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPracticesAndUseCases.html) in the *IAM User Guide*.

## Identity management for Dataset browser


**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

Amazon FinSpace Dataset browser supports two methods for identity management and authentication. A FinSpace dataset browser environment can be created with either of the following methods.

1.  **Email and password** – FinSpace access is controlled via users that are created and managed within the FinSpace application. With email and password based authentication method, users sign in to FinSpace using their email address and password. An environment created with email and password based authentication method cannot be changed to SSO based authentication method in the future. Learn more about [Managing user access with email and password](managing-user-email-pwd.md).

1.  **Single Sign-On (SSO)** – FinSpace access is controlled through your organization's identity provider (IdP). With this authentication method, users will be redirected to the SSO login page of their Security Assertion Markup Language 2.0 (SAML 2.0) compliant identity provider (IdP) solution to authenticate their access to FinSpace. An environment created with SSO based authentication method cannot be changed to email and password based authentication method in the future. Learn more about [creating and managing users with SAML based SSO](managing-user-sso.md).

** **Topics** **
+ [

## Identity management for Managed kdb
](#identity-management-kdb)
+ [

## Identity management for Dataset browser
](#identity-management-dataset-browser)
+ [

# Setting up SAML based single sign-on (SSO) with Amazon FinSpace
](saml-sso.md)
+ [

# Managing user access in Amazon FinSpace
](managing-user-access.md)
+ [

# AWS managed policies for Amazon FinSpace
](security-iam-awsmanpol.md)
+ [

# Using service-linked roles for FinSpace
](using-service-linked-roles.md)

# Setting up SAML based single sign-on (SSO) with Amazon FinSpace
Setting up SAML based single sign-on

**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

When you use SAML based SSO, you can manage users with your enterprise identity provider (IdP). You can use a third-party identity provider that supports through Security Assertion Markup Language 2.0 (SAML 2.0) to provide a simple on-boarding flow for your Amazon FinSpace users. Such identity providers include Microsoft Windows Active Directory Federation Services and Okta among others.

With SSO, your users get one-click access to their FinSpace applications using their existing identity credentials. You also have the security benefit of identity authentication by your identity provider. You can control which users have access to FinSpace using your existing identity provider.

** **Topics** **
+ [

# Tutorial: Setup an Identity Provider with your Amazon FinSpace environment
](setup-idp-finspace.md)
+ [

# Tutorial: Creating an Amazon FinSpace environment with Okta SSO
](tutorial-idp-okta-sso.md)
+ [

# Tutorial: Creating an Amazon FinSpace environment with IAM Identity Center
](tutorial-idp-aws-sso.md)
+ [

# Tutorial: Creating an Amazon FinSpace environment with AD FS
](tutorial-idp-ADFS-sso.md)

# Tutorial: Setup an Identity Provider with your Amazon FinSpace environment
Tutorial: Setup an Identity Provider

**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

You can integrate any SAML 2.0 compliant IdP when creating a new Amazon FinSpace environment.

## Prerequisites


Before creating a FinSpace environment with SAML based SSO, do the following:

Inside your organization's network, configure your identity store, such as Windows Active Directory, to work with a SAML-based IdP. SAML based IdPs include Microsoft Windows Active Directory Federation Services, Okta, and so on.

## Step 1: Generate a SAML metadata document


Using your IdP, generate a metadata document that describes your organization as an identity provider. You will need the metadata document or the URL to the metadata document when creating the FinSpace environment.

## Step 2: Determine the SAML attribute for email


Determine the SAML attribute name that contains the email address in the SAML assertion. Email address is required to identify the user in FinSpace. For example, `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. Check your IdP documentation for details. You will need the SAML attribute when creating the FinSpace environment.

## Step 3: Create a FinSpace environment


Create a [FinSpace environment](create-an-amazon-finspace-environment.md). Once the FinSpace environment is ready, copy and save the **Redirect / Sign-in url** and **URN** from the Summary section of the environment page. You will need the parameters for configuration in the IdP.

## Step 4: Create an application for FinSpace in your IdP


Once the environment is created, add an application for FinSpace in your IdP and use the **Redirect / Sign-in url** and **URN** where appropriate.

## Step 5: Assign users to the newly created FinSpace application in your IdP


Once the application is added, assign users to the application in IdP. A minimum of one user is required to create a superuser in FinSpace.

## Step 6: Create a superuser in your FinSpace environment


**Note**  
In order to create a FinSpace environment, you need to be a user with **AdministratorAccess** role or FinSpace policy.

Now that the users are assigned to your FinSpace application in your IdP, create a superuser.

After your FinSpace is created, you must create a first superuser to add additional users and to configure permission groups from within the FinSpace web application. A superuser has all permissions to take all actions in FinSpace. The first superuser must be created in the AWS console page. After the superuser is created, the superuser logs in to the FinSpace web application for the first time.

**To create a superuser**

1. Sign in to your AWS account in which the FinSpace environment was created and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing). Your AWS account number is displayed for verification purposes.

1. Choose **Environments** and select the FinSpace environment for which a superuser will be created.

1. Under **Superusers**, choose **Add Superuser**.

1. On **Specify Superuser details** page, enter the **Email address**, **First name**, and **Last name**.

1. Choose **Next**.

1. On the next page, review the superuser details.

1. Choose **Create and view credentials** to get a temporary password.
**Note**  
If you have created an environment with SSO, you will not get a temporary password as you will be authenticated with your IdP.

1. On the **View Credentials** page, view and copy the superuser security credentials. You also get a welcome message which you can use to email users instructions for signing into FinSpace.

   Share these credentials with the person designated as the superuser. The credentials are necessary to sign in to your FinSpace web application. The **Environment domain** is the sign-in url for your FinSpace web application.
**Note**  
This is the last time these credentials will be available to be copied. However, you can create new credentials at any time.

You have successfully created a FinSpace environment configured with your SAML 2.0 IdP. Learn more about [managing users in SSO](managing-user-sso.md) and [permissions](managing-user-permissions.md).

# Tutorial: Creating an Amazon FinSpace environment with Okta SSO
Tutorial: Creating an environment with Okta SSO

**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

The following tutorial walks you through how Amazon FinSpace environment can be created using Okta as an Identity provider (IdP).

## Prerequisites


Ensure that a user exists in Okta for each person who will need access to FinSpace. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in Active Directory Federation Services with their corresponding users in FinSpace.

## Step 1: Creating an Okta application


**Note**  
You need to have administrator privileges in Okta for this tutorial.

**To create an Okta application**

1. Sign in to your Okta admin dashboard.

   If you don't have an account, you can create a free [Okta developer edition](https://developer.okta.com/quickstart/) account.

1. Choose **Applications**.

1. Choose **Add Application**.

1. Choose **Create New App**.

1. On the **Create New Application Integration** page, for **Platform** select **Web** from the drop down menu.

1. For **Sign in method**, choose **SAML 2.0** and then choose **Create**.

1. Specify an **App name**. For example, `FinSpace`.

1. Choose **Next**.

1. For the **Single sign on URL**, use `http://placeholder.okta.com `.
**Note**  
This is just a placeholder url to generate the SAML meta data document. You will get the actual single sign on URL once FinSpace environment is created.  
![\[A screenshot of the SAML settings page.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/09-security/finspace-security-23177.png)

1. For **Audience URI (SP Entity ID)**, enter `placeholder`.
**Note**  
This is just a placeholder Uniform Resource Name (URN) to generate the SAML meta data doc. You will get the actual URN once FinSpace environment is created.

1. Under **ATTRIBUTE STATEMENTS** section, enter the following:

   1. **Name** – `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` 

   1. **Value** – `user.email`

1. Choose **Next**.

1. Choose **I'm an Okta customer adding an internal app**.

1. Choose **Finish**.

1. Choose **Identity Provider metadata** and then choose **Copy Link Address**.

1. Save the link to a notepad. You can also choose to save SAML metadata document instead of the link.

Now that you have the SAML metadata document or its URL, let's create a FinSpace environment.

## Step 2: Creating a FinSpace environment


**To create a FinSpace environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Create Environment**.

1. Enter a name for your FinSpace environment under **Environment name**. For example, enter `finspace-saml-okta` 

1. (Optional) Add **Environment description**.

1. Select an existing or create a new KMS key to encrypt data in your FinSpace environment. For more information, see [Managing keys](https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html).

1. For **Authentication method**, select **Single Sign On (SSO)**.

1. Enter your **Identity provider name**. For example, `Okta`.

1. For **Metadata document URL**, select **Provide a metadata document URL** and then paste the SAML metadata document URL in the text box.

1. For **Attribute mapping**, enter the attribute set for email in Okta. Since you set email attribute as `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`, the same value should be set in this field.

1. Under **Initial Superuser**, enter the details to setup the first superuser.

1. Choose **Create Environment**. The environment creation process starts and it will take 50-60 minutes to finish in the background. You can return to other activities while the environment is being created.

1. After the FinSpace environment is ready, copy and save the **Redirect / Sign-in URL** and **URN**.

Your FinSpace is now created. Finish configuration in Okta.

## Step 3: Finish application configuration in Okta


Finish configuration of your FinSpace Okta app with the **Redirect / Sign-in URL** and **URN**.

1. Sign in to your Okta console.

1. Choose **Admin** on the top-right corner.

1. From the top bar menu bar, choose **Applications**.

1. Choose the **FinSpace** app that you had setup with placeholders.

1. Under the **General** tab, scroll to **General Settings** and choose **Edit** on SAML settings.

1. Choose **Next**.

1. For **Single Sign On URL**, paste the copied **Redirect / Sign-in URL** from FinSpace environment.

1. Select the **Use this for Recipient URL and Destination URL** check box.

1. For **Audience URI (SP Entity ID)**, enter the copied **URN** from the FinSpace environment.  
![\[A screenshot that shows the General tab in the SAML settings page.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/09-security/finspace-security-9d00f.png)

1. Choose **Next**.

1. Choose **Finish**.

## Step 4: Assign user to the FinSpace application in Okta


Now that the application is setup. Assign at least one user to the FinSpace app in Okta who can be created as a superuser for FinSpace.

**To assign user to the FinSpace application in Okta**

1. Sign in to your Okta console.

1. Choose **Admin** on the top-right corner.

1. From the top bar menu bar, choose **Applications**.

1. Choose the **FinSpace**.

1. Choose the **Assignments** tab.

1. Choose the **Assign** drop down menu. A list of users appears.

1. Choose **Assign next** for the user that you want to designate as the superuser in FinSpace. You may add multiple users at this point too.

1. Choose **Save and Go back**.

## Step 5: Create superuser in your FinSpace environment


Now that a user is assigned, they can be created as a superuser in FinSpace.

**To create a superuser**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose `finspace-saml-okta` from the list of environments.

1. Under **Superusers**, choose **Add Superuser**.

1. On **Specify Superuser details** page, enter the email that was used when assigning the user in Okta.

1. Enter the **First name** and the **Last name**.

1. Choose **Create and view credentials**. You will not receive a password as you will use the Okta Idp credentials for authentication.

## Step 6: Sign in to FinSpace with Okta IdP credentials


**To sign in with Okta IdP credentials**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose `finspace-saml-okta` from the list of environments.

1. Copy the link under **Environment domain** and paste it in your web browser.

   You will be re-directed to your Okta Idp authentication page.

1. Enter your SSO credentials to sign in to FinSpace.

# Tutorial: Creating an Amazon FinSpace environment with IAM Identity Center
Tutorial: Creating an environment with IAM Identity Center

**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

The following tutorial walks you through how FinSpace environment can be created using AWS IAM Identity Center as an Identity provider (IdP).

## Prerequisites


Ensure that a user exists in IAM Identity Center for each person who will need access to FinSpace. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in Active Directory Federation Services with their corresponding users in FinSpace.

## Step 1: Creating an application in IAM Identity Center


**Note**  
You need to have appropriate privileges in IAM Identity Center to create a SAML application.

**To create an application in IAM Identity Center**

1. Sign in to AWS Management Console, and open IAM Identity Center.

1. Choose **Settings**.

1. For **Identity source**, choose **IAM Identity Center**.

1. From the left menu, choose **Applications**.

1. Choose **Add application**.

1. Choose **Add a custom SAML 2.0 application**.

1. Choose **Next**.

1. On the **Configure application** page, specify a display name for the application. For example, you can use `FinSpace-SAML-application`.

1. (Optional) Add a description.

1. Copy and save the URL for **IAM Identity Center SAML metadata file** or download it. You will need it when you create a FinSpace environment.

1. For **Application metadata**, choose **Manually type your metadata values**.

1. For **Application ACS URL**, enter `https://finspace.com/saml2/idpresponse`. For **Application SAML audience**, enter `urn:amazon:sp:*`.
**Note**  
These are sample values. Return to application configuration and replace these fields with the actual values after you create an environment. 

1. Choose **Submit**. The page for newly created application opens.

1. On the application page, choose **Actions** and then choose **Edit attribute mappings**.

1. On the attribute mappings page, enter the attribute mappings values as shown in the following screenshot.  
![\[A screenshot that shows the attribute mappings.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/09-security/finspace-security-attribute-mapping.png)

1. Choose **Save changes**.

Now that you have the SAML metadata document or it's URL, create a FinSpace environment next.

## Step 2: Creating a FinSpace environment


**To create a FinSpace environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Create Environment**.

1. Enter a name for your FinSpace environment under **Environment name**. For example, enter `finspace-saml-aws-sso` 

1. (Optional) Add **Environment description**.

1. Select an existing or create a new KMS key to encrypt data in your FinSpace environment. For more information, see [Managing keys](https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html).

1. For **Authentication method**, select **Single Sign On (SSO)**.

1. Enter your **Identity provider name**. For example, **IAM Identity Center**.

1. For **Metadata document URL**, choose **Provide a metadata document URL** and then paste the SAML metadata document URL in the text box. This is the same URL that you copied when [creating an application](#metadata-url).

1. For **Attribute mapping**, enter the attribute set for email in IAM Identity Center. Since you set attribute as `Email` in SSO, set the same in mapping.

1. Choose **Create Environment**. The environment creation process starts and it will take 50-60 minutes to finish in the background. You can return to other activities while the environment is being created.

1. After the FinSpace environment is ready, copy and save the **Redirect / Sign-in URL** and **URN**.

## Step 3: Finish application configuration in IAM Identity Center


Finish configuration of IAM Identity Center app with the **Redirect / Sign-in URL** and **URN**.

1. Sign in to AWS Management Console, and open IAM Identity Center.

1. Choose **Applications**.

1. Choose **FinSpace-SAML-application** that you created in step 1 of this tutorial.

1. On the application details page, choose **Actions** and then choose **Edit configuration**.

1. In the **Application metadata** section, paste the following values that you copied in step 2 of this tutorial.

   1. For **Application ACS URL**, paste the **Redirect / Sign-in URL**.

   1. For **Application SAML audience**, paste the **URN**.

1. Choose **Submit**.

## Step 4: Assign user to the FinSpace application in IAM Identity Center


After setting up the application, assign at least one user to it in IAM Identity Center. You can create this user as a superuser for FinSpace.

**To assign a user**

1. Sign in to AWS Management Console, and open IAM Identity Center.

1. Choose **Applications**.

1. Choose the `FinSpace-SAML-application` application.

1. Choose **Assign Users**.

1. From the list of users, choose and assign users to the application.

## Step 5: Create superuser in your FinSpace environment


After assigning a user,you can create them as a superuser in FinSpace.

**To create a superuser**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose `finspace-saml-aws-sso` from the list of environments.

1. Under **Superusers**, choose **Add Superuser**.

1. On the **Specify Superuser details** page, enter the email that was used when assigning the user in IAM Identity Center.

1. Enter the **First name** and the **Last name**.

1. Choose **Next**.

1. Review the details and choose **Create and view credentials**. You will not receive a password as you will use the IAM Identity Center credentials for authentication.

## Step 6: Sign in to FinSpace with IAM Identity Center credentials


**To sign in with IAM Identity Center credentials**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose `finspace-saml-aws-sso` from the list of environments.

1. Choose the **Application URL** link.

   The IAM Identity Center authentication page opens.

1. Enter your SSO credentials to sign in to FinSpace.

# Tutorial: Creating an Amazon FinSpace environment with AD FS
Tutorial: Creating an environment with AD FS

**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

The following tutorial walks you through how Amazon FinSpace environment can be created using Microsoft Active Directory Federation Services (AD FS) as an Identity provider (IdP).

**Note**  
You need to have appropriate privileges in AD FS to create a SAML application.

## Prerequisites


Ensure that a user exists in AD FS for each person who will need access to FinSpace. When creating users, make sure to include an email address for each user. Email addresses are required to connect the users in AD FS with their corresponding users in FinSpace.

## Step 1: Access the SAML metadata document or URL from AD FS


Access the SAML metadata document or URL from your AD FS installation. You will need this document or URL to create the FinSpace environment.

## Step 2: Creating a FinSpace environment


**To create a FinSpace environment**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose **Create Environment**.

1. Enter a name for your FinSpace environment under **Environment name**. For example, enter `finspace-saml-adfs`.

1. (Optional) Add **Environment description**.

1. Select an existing or create a new KMS key to encrypt data in your FinSpace environment. For more information, see [Managing keys](https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html).

1. For **Authentication method**, select **Single Sign On (SSO)**.

1. Enter your **Identity provider name**. For example, `AD FS`.

1. For **Metadata document URL**, select **Provide a metadata document URL** and then paste the SAML metadata document URL in the text box.

1. For **Attribute mapping**, enter the attribute set for email in AD FS. It should be `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`.

1. Choose **Create Environment**. The environment creation process starts and it will take 50-60 minutes to finish in the background. You can return to other activities while the environment is being created.

1. After the FinSpace environment is ready, copy and save the **Redirect / Sign-in URL** and **URN**.

## Step 3: Configure AD FS for FinSpace


**To configure ADFS for FinSpace**

1. Sign in to your AD FS console.

1. Go to **Server Manager**.

1. From the top-right drop down menu, choose **Tools**.

1. Choose **AD FS management**.

1. From the left menu, choose **Relying Party Trusts**.

1. Choose **Add Relying Party Trust**.

1. From the dialog box, choose **Claims Aware**.

1. Choose **Enter data about the relying party manually**.

1. For display name, enter `FinSpace` and then choose **Next**.

1. Choose **Enable support for the SAML 2.0 WebSSO protocol**.

1. Paste the **Redirect / Sign-in URL** and then choose **Next**.

1. Paste the **URN** under the **Relying party trust identifier**.

1. Choose **Add** and then choose **Next**.

1. Choose **Close**. You will see **FinSpace** in the list of **Relying Party Trusts**.

1. Right-click on **FinSpace** and choose **Edit Claim Issuance Policy**.

1. On the next page, chose **Add Rule**.

1. Under **Claim Rule Template**, choose **Send LDAP Attributes as Claims**.

1. Choose **Next**.

1. For **Claim rule name**, enter rule name as `emailclaimrule`.

1. Under **Attribute store**, choose **Active Directory**.

1. Under **Mapping of LDAP attributes to outgoing claim types**, set the LDAP attributes as following:

   1. For **LDAP attribute**, enter `E-mail-Addresses` and for **Outgoing Claim Type** , enter `E-mail Address`.

   1. Repeat the above step to set **LDAP attribute**, as `E-mail-Addresses` and **Outgoing Claim Type** as `Name ID`.

1. Choose **Finish** and then choose **OK**.

## Step 4: Assign user in AD FS


Ensure that any user to be enabled for FinSpace has a valid email in their user record in AD FS.

## Step 5: Create superuser in your FinSpace environment


**To create a superuser**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose `finspace-saml-adfs` from the list of environments.

1. Under **Superusers**, choose **Add Superuser**.

1. On **Specify Superuser details** page, enter the email that was used when assigning the user in AD FS.

1. Enter the **First name** and the **Last name**.

1. Choose **Create and view credentials**. You will not receive a password as you will use the IAM Identity Center credentials for authentication.

## Step 6: Sign in to FinSpace with AWS SSO credentials


**To sign in with IAM Identity Center credentials**

1. Sign in to the AWS Management Console and open the Amazon FinSpace console at [https://console.aws.amazon.com/finspace](https://console.aws.amazon.com/finspace/landing).

1. Choose `finspace-saml-adfs` from the list of environments.

1. Copy the link under **Domain** and paste it in your web browser.

   You will be re-directed to your AD FS authentication page.

1. Enter your SSO credentials to sign in to FinSpace.

# Managing user access in Amazon FinSpace
Managing user access

Amazon FinSpace administrators or superusers can use the following topics to manage user access.

 **Superuser** 

A superuser has all the permissions in FinSpace. The first superuser for your FinSpace environment is created from the AWS console. The superuser can then create other superusers and application users from the FinSpace web application.

 **Application user** 

An application user does not have any permissions when their account is created. They are assigned permissions by adding them to a permission group.

 **Permission group** 

Permission groups contain users. Permissions to perform any action in FinSpace are assigned to permission groups, not directly to the user. A user can be a member of multiple permission groups. A permission group cannot be a member of another permission group.

 **Permissions** 

Permissions are assigned to permission groups and not to users. The are two kinds of permissions in FinSpace - application permissions and dataset permissions. Application permissions are assigned to a permission group when creating or editing it (for example, create datasets). Dataset permissions are assigned on a per dataset basis when associating a permission group to a dataset (for example, read a view in a dataset).

** **Topics** **
+ [

# Managing user access with email and password
](managing-user-email-pwd.md)
+ [

# Managing user access with SSO
](managing-user-sso.md)
+ [

# Managing user permissions with permission groups
](managing-user-permissions.md)
+ [

# Temporary credentials in Amazon FinSpace
](temporary-credentials.md)

# Managing user access with email and password


**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

This section describes how you can manage users in an Amazon FinSpace environment created with Email and password based authentication.

**Note**  
To create and manage users, you must be a superuser or a member of a group with necessary permissions - **Manage Users and Permission Groups**.

You can invite users by creating an account for them and sharing access credentials.

![\[A screenshot that shows the FinSpace users list.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/04b-configuring-users-and-groups/user-list.png)


## Creating the first superuser


The first superuser must be created after a new FinSpace environment is created. See details in [this section](create-an-amazon-finspace-environment.md). Once the first superuser is created, they can sign in to FinSpace web application and setup other superusers and application users. Subsequent superusers can be created by the first superuser in the FinSpace web application.

## Inviting users to access FinSpace


In FinSpace, you can invite users by creating an account for them and sharing access credentials. FinSpace accounts are created in two steps. First, you create a user in FinSpace. This creates an inactive account in FinSpace, credentials and a temporary password is generated for the user which is shared with them. When the user accepts the invitation and signs in for the first time, the user creates a new password to activate the account.

For more information about signing in for the first time, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

**To create accounts and invite users to FinSpace**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. On the **Users and Permission Groups** page, choose **Add User**.

1. On the **Create User** page, specify the **User Details**.

1. For **Superuser**, choose **Yes** to designate the user as a superuser or **No** to designate this user as an application user.

1. For **Programmatic Access**, choose **Yes** to provide access to use FinSpace APIs and SDK or choose **No** to deny programmatic access.

   When you choose **Yes**, you are required to specify the **IAM Principal ARN** for this user in the format `arn:partition:service::region::account::resource`. 

1. Choose **Create User**.

1. After the account is created, copy the credentials to clipboard and share them with the new user.  
![\[A screenshot that shows the create user confirmation page.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/04b-configuring-users-and-groups/create-user-confirmation.png)

## Viewing user details


**To view details of a user**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**. The **Users and Permission Groups** page, displays the list of users under the **FinSpace Users** tab.

1. Select a user to view their details.

## Deactivating a user


**To deactivate a user**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. Choose **FinSpace Users** tab.

1. Select a user to view their details.

1. On the top right corner, choose **More** menu.

1. Choose **Deactivate User**. This button is only visible to superusers and users with with necessary permissions – **Manage Users and Permission Groups**.

1. On the confirmation dialog box, choose **Deactivate**. You can activate a user again later if necessary.

# Managing user access with SSO


**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

This section describes how you can manage users in an Amazon FinSpace environment created with SAML based SSO authentication.

**Note**  
In order to create and manage users, you must be a superuser or a member of a group with necessary permissions - **Manage Users and Permission Groups**.
You will need administrator privileges to assign and remove users to your configured FinSpace application in your Identity Provider.

You can invite users by creating a FinSpace account for them. When using SAML based Single Sign On as the authentication method for your FinSpace environment, you need to execute two steps to add users in FinSpace.

1. Assign user to your FinSpace application in your Identity Provider (IdP) with their email.

1. Create the user in FinSpace environment. The email of the user created in FinSpace environment must match their email in their identity record with the Identity provider.

If above steps are not followed, a user will not be successfully authenticated to use FinSpace.

## Creating the first superuser


The first superuser must be created after a new FinSpace environment is created. The user must be assigned to the FinSpace application created in your IdP. See details in [this section](create-an-amazon-finspace-environment.md). Once the first superuser is created, they can sign in to FinSpace web application and setup other superusers and application users. Subsequent superusers can be created by the first superuser in the FinSpace web application.

## Inviting users to access FinSpace


In FinSpace, you can invite users by creating a FinSpace account for them. For more information about signing in for the first time, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

**To create FinSpace accounts and invite users**

1. Assign the new user to the application created for FinSpace in your IdP.

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. On the **Users and Permission Groups** page, choose **Add User**.

1. On the **Create User** page, specify the **User Details**. The email that you enter must match the email of the user record in your IdP.

1. For **Superuser**, choose **Yes** to designate the user as a superuser or **No** to designate this user as an application user.

1. For **Programmatic Access**, choose **Yes** to provide access to use FinSpace APIs and SDK or choose **No** to deny programmatic access.

   When you choose **Yes**, you are required to specify the **IAM Principal ARN** for this user in the format `arn:partition:service::region::account::resource`. 

1. Choose **Create User**.

1. After the account is created, copy the credentials to clipboard and share them with the new user. The user can sign in to FinSpace with their SSO credentials.

## Viewing user details


**To view details of a user**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**. The **Users and Permission Groups** page, displays the list of users under the **FinSpace Users** tab.

1. Select a user to view their details.

## Deactivating a user


**To deactivate a user**

1. Remove the user from the list of assigned users from the FinSpace application in your Identity Provider (IdP).

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. Choose **FinSpace Users** tab.

1. Select a user to view their details.

1. On the top right corner, choose **More** menu.

1. Choose **Deactivate User**. This button is only visible to superusers and users with necessary permissions – **Manage Users and Permission Groups**.

1. On the confirmation dialog box, choose **Deactivate**. You can activate a user again later if necessary.

# Managing user permissions with permission groups


**Important**  
Amazon FinSpace Dataset Browser will be discontinued on *March 26, 2025*. Starting *November 29, 2023*, FinSpace will no longer accept the creation of new Dataset Browser environments. Customers using [Amazon FinSpace with Managed Kdb Insights](https://aws.amazon.com/finspace/features/managed-kdb-insights/) will not be affected. For more information, review the [FAQ](https://aws.amazon.com/finspace/faqs/) or contact [AWS Support](https://aws.amazon.com/contact-us/) to assist with your transition.

**Note**  
In order to create and manage permission groups, you must be a superuser or a member of a group with necessary permissions - **Manage Users and Permission Groups**.

You can create permission groups inside Amazon FinSpace, so you do not have manage permissions individually. Permissions are not assigned directly to a user but a permission group is created with the appropriate permissions, and a user is assigned to that permission group.

![\[A screenshot that shows the permission group list.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/04b-configuring-users-and-groups/user-group-list.png)


## Permissions


Permissions are assigned to permission groups and not to users. The are two kinds of permissions in FinSpace - application permissions and dataset permissions. Application permissions are assigned to a permission group when creating or editing it (for example, create datasets). Dataset permissions are assigned on a per dataset basis when associating a permission group to a dataset (for example, read a view in a dataset).

**Warning**  
When assigning application permissions, be aware that the permission **Manage Users and Permission Groups** allows users to grant themselves or others access to any functionality in their FinSpace environment's application. It should only be granted to trusted users.

 **Supported application permissions** 


| Permission | Description | 
| --- | --- | 
|  Create Datasets  |  Group members can create new datasets in FinSpace or via the FinSpace API  | 
|  Manage Categories and Controlled Vocabularies  |  Group members can create, edit and delete categories and controlled vocabularies  | 
|  Manage Clusters  |  Group members will have permissions to manage clusters in FinSpace notebooks  | 
|  Manage Users and Permission Groups  |  Group members can manage users and permission groups. This is a privileged permission that allows users to grant themselves or others access to any functionality in the application. It should only be granted to trusted users.  | 
|  Manage Attribute Sets  |  Group members will have menu option to manage Attribute Sets  | 
|  Manage Attribute Sets  |  Group members can create, edit and delete attribute sets  | 
|  View Audit Data  |  Group members can view audit data  | 
|  Access Notebooks  |  Group members will have access to the FinSpace notebooks  | 
|  Get Temporary Credentials  |  Group members will be able to get temporary API credentials  | 

## Supported dataset permissions


When a dataset is created by a user, all other members of the same permission group will inherit access to the dataset. The members can permission the dataset to other permission groups and specify the actions that the other groups they can take on it. Users can only create a dataset if their permission group has application permission for **Create Datasets**.


| Permission | Description | 
| --- | --- | 
|  View Dataset Details  |  Group members can view dataset details  | 
|  Read Dataset Data  |  Group members can read the data files, such as data views, provided on S3 for Spark, notebooks, and access from outside FinSpace  | 
|  Add Dataset Data  |  Data Group members can add new data files to this dataset to create a dataset update  | 
|  Create View  |  Group members can create new data or file view on this dataset via the Web UI or API  | 
|  Edit Dataset Metadata  |  Group members will have permission to edit dataset metadata including permission to add additional attribute sets  | 
|  Manage Permissions  |  Group members can view and edit this dataset permissions  | 
|  Delete Dataset  |  Group members can remove the dataset including all data and data views  | 

## Creating and adding a user to the group


**To create a permission group and add a new user to it**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. On the **Users and Permission Groups** page, choose **Create Permission Group**.

1. On the **Create Permission Group** page, enter the name and description for the permission group and select appropriate permissions for the group.

1. Choose **Create**. A new group is created with selected permissions.  
![\[A screenshot that shows the analyst permissions group.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/04b-configuring-users-and-groups/data-engineer-permissions.png)

1. Choose **Add User to This Group**.

1. On the dialog box, select a user to add to this group.

1. Choose **Add**. A new user is now added to the group.

## List all permission groups


**To list all created permission groups**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. Choose the **Permission Groups** tab. A list of all the permission groups is displayed in the table.

## Delete a permission group


**To delete a permission group**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. Choose the **Permission Groups** tab.

1. From the list, select a group and choose the more (![\[An image of the vertical ellipsis icon.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/04a-configuring-the-catalog/kebab-menu.png)) icon.

1. Choose **Remove Group**.  
![\[A screenshot that shows the remove permission group drop down.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/04b-configuring-users-and-groups/remove-user-group.png)

1. In the dialog box that appears, choose **Remove**.

# Temporary credentials in Amazon FinSpace
Temporary credentials

Amazon FinSpace has an internal application authorization model that controls access to the functions in FinSpace and the FinSpace API operations. In order to use the FinSpace API operations, you must first obtain temporary security credentials, which are used when you call these API operations. These credentials are unique for each user and are only valid for 60 minutes. After the credentials expire, you need to obtain new credentials before making subsequent API calls.

## Obtaining the credentials using FinSpace


You can obtain credentials from the web application if you're one of the following: 
+ A superuser
+ An application user who is a member of a FinSpace permission group with the **Get Temporary API Credentials** permission

**To obtain the permissions**

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **API Credentials**.

1. On the **API Credentials** page, use the copy icon to copy the **Access Key ID**, **Secret Access Key**, and the **Session Token** values.

1. Use these copied credentials to access the FinSpace data API operations.

   ```
    #!/usr/bin/env python
   
    import boto3
    session = boto3.session.Session()
    finSpaceClient = session.client(
        region_name = 'us-east-1',
        service_name = 'finspace-data',
        aws_access_key_id = 'Specify Access Key ID',
        aws_secret_access_key = 'Specify Secret Access Key',
        aws_session_token = 'Specify Session Token'
    )
   ```

## Obtaining the credentials programmatically


You can also obtain the credentials using a program or a script without signing in to the FinSpace web application. For this, you can use the `GetProgrammaticAccessCredentials` API operation to retrieve the temporary credentials. You must call `GetProgrammaticAccessCredentials` using the IAM role that exists in the AWS account that you used to create your Amazon FinSpace environment. 

Calling the `GetProgrammaticAccessCredentials` API operation returns a set of temporary credentials that you can then use to call the other API operations. Before you obtain the temporary credentials, you need to enable the programmatic access for each user.

The following diagram illustrates how you can access and use the temporary credentials.

![\[This diagram shows the sequence for accessing temporary credentials.\]](http://docs.aws.amazon.com/finspace/latest/userguide/images/09-security/temporary-credentials-diagram.png)

+ The diagram shows that first a request to `AssumeRole` is sent to AWS. For more information, see [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) in the *AWS Security Token Service API Reference*.
+ This request returns a set of security credentials that are used to access the AWS resources.
+ Next, a request is sent to `finspace-data` to call the `GetProgrammaticAccessCredentials` API operation. This request returns the temporary credentials.
+ Lastly, the temporary credentials are used to call the other FinSpace API operations.

**Configuring a user for programmatic access using FinSpace **

Use the following procedures to allow a specific user to obtain API credentials programatically. 

**Note**  
To perform the following steps, you must either be a superuser or a member of a group with necessary permissions – **Manage Users and Groups**.

1. Sign in to the FinSpace web application. For more information, see [Signing in to the Amazon FinSpace web application](signing-into-amazon-finspace.md).

1. On the left navigation bar of the home page, choose **Users and Groups**.

1. On the **Users and Permission Groups** page, choose a user that you want to enable programmatic access for.

1. On the user details page, choose **More** and then choose **Edit User**.

1. For **Programmatic Access**, choose **Yes**.

1. For **IAM Principal ARN**, enter the ARN identifier for an IAM role that will be used. This role is used to call `GetProgrammaticAccessCredentials` to obtain temporary API credentials.

   The IAM role must reside in the AWS account that you used to create your FinSpace environment and must have the following permission set:

1. To save your edits to the user, choose **Update User**.

**Note**  
Alternatively, you can also enable programmatic access for a user at the time when you create a user. For more information, see [Adding users in FinSpace](managing-user-email-pwd.md#creating-accounts-and-inviting-users-to-access-amazon-finspace).

**Enabling programmatic access using the FinSpace API** 

You can also enable programmatic access for a user by using the `[CreateUser](https://docs.aws.amazon.com/finspace/latest/data-api/API_CreateUser.html)` and `[UpdateUser](https://docs.aws.amazon.com/finspace/latest/data-api/API_UpdateUser.html)` API operations. The following are examples of how you can use the API operations. 

**Example JSON for the `CreateUser` API operation**

```
{
    "emailAddress": "testemail1@amazon.com",
    "type": "APP_USER",
    "firstName": "test",
    "lastName": "user",
    "apiAccess": "ENABLED",
    "apiAccessPrincipalArn": "arn:aws:iam::012345678910:role/TestRole"
}
```

 **Example JSON for the `UpdateUser` API operation**

```
{
    "type": "SUPER_USER",
    "firstName": "test",
    "lastName": "user",
    "apiAccess": "ENABLED",
    "apiAccessPrincipalArn": "arn:aws:iam::012345678910:role/TestRole"
}
```

# AWS managed policies for Amazon FinSpace
AWS managed policies





An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.









## AWS managed policy: AWSFinSpaceServiceRolePolicy
AWSFinSpaceServiceRolePolicy







You can't attach AWSFinSpaceServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows FinSpace to perform actions on your behalf. For more information, see [Using service-linked roles for FinSpace](using-service-linked-roles.md).



This policy grants FinSpace permissions to publish metrics. 



**Permissions details**

This policy includes the following permission.




+ `cloudwatch` – Allows principals access to publish metrics to the AWS/FinSpace and AWS/Usage namespace in the AWS account.



------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": [
                        "AWS/FinSpace",
                        "AWS/Usage"
                    ]
                }
            },
            "Resource": "*"
        }
    ]
}
```

------





## FinSpace updates to AWS managed policies
Policy updates



View details about updates to AWS managed policies for FinSpace since this service began tracking these changes. 




| Change | Description | Date | 
| --- | --- | --- | 
|  [AWSFinSpaceServiceRolePolicy](#security-iam-awsmanpol-AWSFinSpaceServiceRolePolicy) – Updated policy  |  Updated the `AWSServiceRoleForFinSpace` policy to allow PutMetricData calls to AWS/Usage CloudWatch namespace.  | November 17, 2023 | 
|  [AWSFinSpaceServiceRolePolicy](#security-iam-awsmanpol-AWSFinSpaceServiceRolePolicy) – New policy  |  FinSpace added a new policy to enable access to AWS service and resources used or managed by Amazon FinSpace.  | June 5, 2023 | 
|  FinSpace started tracking changes  |  FinSpace started tracking changes for its AWS managed policies.  | June 5, 2023 | 

# Using service-linked roles for FinSpace
Using service-linked roles

Amazon FinSpace uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to FinSpace. Service-linked roles are predefined by FinSpace and include all the permissions that the service requires to call other AWS services on your behalf. 

A service-linked role makes setting up FinSpace easier because you don’t have to manually add the necessary permissions. FinSpace defines the permissions of its service-linked roles, and unless defined otherwise, only FinSpace can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

You can delete a service-linked role only after first deleting their related resources. This protects your FinSpace resources because you can't inadvertently remove permission to access the resources.

For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.

## Service-linked role permissions for FinSpace


FinSpace uses the service-linked role named **AWSServiceRoleForFinSpace** – Policy to enable access to AWS service and resources used or managed by Amazon FinSpace.

The AWSServiceRoleForFinSpace service-linked role trusts the following service to assume the role:
+ `finspace.amazonaws.com`

The role permissions policy named AWSFinSpaceServiceRolePolicy allows FinSpace to complete the following action on the specified resources:
+ Action: `cloudwatch:PutMetricData` on `*` in `AWS/FinSpace` and `AWS/Usage` CloudWatch namespace.

For more information about this policy, including the JSON policy document, see [AWSFinSpaceServiceRolePolicy](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSFinSpaceServiceRolePolicy).

You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.

## Creating a service-linked role for FinSpace


You don't need to manually create a service-linked role. When you create a FinSpace environment in the AWS Management Console, the AWS CLI, or the AWS API, FinSpace creates the service-linked role for you. 

**Important**  
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the FinSpace service before May 25, 2023, when it began supporting service-linked roles, then FinSpace created the AWSServiceRoleForFinSpace role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).

If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create a FinSpace environment, FinSpace creates the service-linked role for you again. 

## Editing a service-linked role for FinSpace


FinSpace does not allow you to edit the AWSServiceRoleForFinSpace service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*.

## Deleting a service-linked role for FinSpace


If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it.

**Note**  
If the FinSpace service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.

**Note**  
If you want to delete the AWSServiceRoleForFinSpace, you must first delete all of your FinSpace environments.

**To manually delete the service-linked role using IAM**

Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForFinSpace service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.

## Supported regions for FinSpace service-linked roles


FinSpace supports using service-linked roles in all of the regions where the service is available. For more information, see [Regions and IP ranges](regions-ip-ranges.md).