# User management
User access to AWS Partner Central is managed through AWS Identity and Access Management (IAM). The below topics describe how to invite, onboard, manage and troubleshoot permissions for AWS Partner Central users.
**Topics**
+ [Controlling access in AWS Partner Central](controlling-access-in-aws-partner-central.md)
+ [Controlling access in AWS Partner Central account management](controlling-access-in-apc-account-management.md)
+ [AWS managed policies for AWS Partner Central users](managed-policies.md)
+ [Mapping Partner Central Users to Managed Policies](managed-policy-mappings.md)
+ [User Management FAQs](user-management-faq.md)
# Controlling access in AWS Partner Central
User access to AWS Partner Central is managed through AWS Identity and Access Management (IAM). IAM permissions control who can be authenticated (signed in) and authorized (have permissions) to use AWS Partner Central and AWS Marketplace features. IAM is an AWS service that you can use at no additional charge.
IAM permissions are assigned to individual users by IAM Administrators. These administrators act as security managers for your AWS environment—they provision and de-provision user accounts, assign permissions, and set up security policies. IAM Administrators typically sit within IT or Governance and Security teams.
**Important**
To access AWS Partner Central, users must work with their IAM Administrator to be provided with the correct level of access. If permissions aren't set up correctly, users might not be able to sign in at all, or they might be able to log in, but may not be able to access the tools and information they need to do their job.
The following resources provide more information about getting started and using IAM:
+ [Create an administrative user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html)
+ [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html)
+ [Attaching a policy to an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html)
+ [IAM Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)
+ [Controlling access to AWS resources using policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html)
+ [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html)
**Topics**
+ [AWS IAM for AWS Partner Central](#aws-iam-for-aws-partner-central)
+ [Adding users to AWS Partner Central](#adding-users-to-aws-partner-central)
+ [Permissions for AWS Partner Central](#permissions-for-aws-partner-central)
+ [Condition keys for AWS Partner Central](#condition-keys-for-aws-partner-central)
## AWS IAM for AWS Partner Central
AWS IAM is built on the concept of role-based access. Within this framework, users are assigned to specific roles or groups associated with a set of IAM policies that control what specific features within AWS Partner Central that a user can access. To simplify this process, AWS has published several Managed policies to simplify user management for common user personas within AWS Partner Central.
The IAM Administrator is responsible for the creation of IAM roles, groups and policies and assignment of users to provision permissions in AWS IAM, but must collaborate with the Partner Central users and their leadership to determine what level of access each user should be granted.
Review the Managed policy mappings for guidance on managed policy assignments based on common Partner Central user personas.
Working with AWS IAM requires specific technical knowledge and appropriate AWS account permissions. These individuals ('IAM Administrators') are required to support set up and management of these permissions. The IAM Administrator is typically someone in your IT Security, Information Security, or Governance/Compliance department.
Partner Central uses AWS IAM to manage all user access through your organization's AWS account. Instead of Partner Central managing users directly, your IT team controls access through AWS IAM. Users are assigned specific policies that determine which Partner Central resources (like Opportunities, Solutions, or Fund Requests) a user can access and whether they can only view information (read access) or also make changes (write access).
**Important**
If users are not properly provisioned access in IAM, they will not be able to access features in AWS Partner Central. Users should only have access to the features they need to do their job - this is called "least privilege" access.
### IAM Role-Based Access Implementation
Implementation varies by organization but generally follows this process:
Step 1: The IAM Administrator creates IAM roles
IAM Administrators create roles that define functional personas within AWS Partner Central. Each role describes the specific features and capabilities users in that job function need to access. For example, a role could be created for:
+ Marketing Managers, responsible for creating co-marketing assets and managing campaigns
+ Operations Administrators, responsible for creating and managing fund requests.
Organizations can create as many roles as needed based on the different personas accessing Partner Central. For a summary of common Partner Central user personas, see here. In addition to these managed policies, organizations can create and customize managed policies to tailor access as needed. For more information, see [AWS managed policies for AWS Partner Central users](https://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policies.html).
Not sure who your IAM Administrator is? They typically sit in IT Security, Information Security, or Governance/Compliance teams, but this varies by organization. They should have administrator access to the AWS account used to access AWS Partner Central.
Step 2: Assign IAM Policies to Each Role
Once roles are created, the IAM Administrator assigns specific IAM policies that determine allowed access. For example, the Marketing Manager role might receive read/write access to the Case Studies feature, permission to create and manage Solutions, and the ability to create tickets to APN Support. To simplify this process, AWS publishes Managed Policies—pre-built sets of IAM policies that map to common user roles. Instead of provisioning individual feature-level inline policies, IAM Administrators can assign Managed Policies that align with each role's responsibilities. To see how common Partner Central personas map to published Managed Policies, see here.
IAM Administrators can use managed policies or build custom policies for specific user permissions. AWS recommends using managed policies when possible to simplify permission management, as they enable automatic AWS updates for common use cases and version control.
Step 3: [Optional] Set up Single Sign-On
Single Sign-On (SSO) benefits users, organizations, and IT teams by streamlining authentication and enhancing security. For users, SSO simplifies access by allowing them to log in once, with a single set of credentials, to access multiple enterprise applications, reducing password fatigue and enabling faster productivity through seamless navigation across integrated systems. For organizations, SSO enhances security through centralized authentication that enables stronger access controls and improves compliance by making it easier to enforce security policies. For IT teams specifically, SSO simplifies administration by managing user identities and permissions from a single location, accelerates onboarding and offboarding by granting or revoking access to multiple systems simultaneously, and offers integration flexibility by connecting diverse applications through standard protocols. For more information on how to set up SSO for your organization, see here.
## Adding users to AWS Partner Central
Adding users to Partner Central requires coordination between the Alliance Lead (who determines access needs) and the IAM Administrator (who implements the technical setup).
**Note**
IAM permissions can be modified whenever needed, and there's no cap on how many users can receive access rights.
To add a new user:
### For Alliance Leads: Determine User Access Needs
1. **Identify the user's role and required access level:** Review the managed policy mappings to determine which role (persona) best describes their job function. Refer to this table for common Partner Central user personas and which Managed policies best fit that user's required level of access.
1. **Request the IAM Administrator to add the user.** Provide the IAM Administrator with:
+ User's name and company email address
+ Required managed policies (e.g., AWSPartnerCentralOpportunityManagement)
+ Any specific access requirements if custom policies are needed
### For IAM Administrators: Create and Configure User Access
Depending on your AWS account setup, choose one of the following options to grant users access:
Option 1: Using IAM Identity Center
**Best for:** Organizations managing multiple users across AWS accounts who want centralized access management with single sign-on (SSO) capabilities.
**Key benefits:** Centralized user management, automatic permission synchronization across accounts, simplified onboarding/offboarding, and enhanced security with SSO.
Option 2: Using IAM Console (For individual users)
**Best for:** Small teams or organizations managing a limited number of individual user accounts who need direct AWS Console access.
**Key benefits:** Quick setup for individual users, direct control over specific user permissions, and straightforward for small-scale deployments.
Option 3: Integrate with a third-party Identity Provider
**Best for:** Organizations already using enterprise identity providers (like Okta, Azure AD, or Ping Identity) who want to maintain existing authentication workflows.
**Key benefits:** Seamless integration with existing enterprise identity systems, consistent authentication experience across all business applications, centralized user lifecycle management, and enhanced compliance with corporate security policies.
## Permissions for AWS Partner Central
You can use the following permissions in IAM policies for AWS Partner Central. You can combine permissions into a single IAM policy to grant the permissions you want.
### ListPartnerPaths
`ListPartnerPaths` provides access to list partner paths in AWS Partner Central.
+ **Action groups:** `ListOnly`, `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### EnrollInPartnerPath
`EnrollInPartnerPath` provides access to enroll in partner paths in AWS Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### GetPartnerDashboard
`GetPartnerDashboard` provides access to retrieve partner dashboard information in AWS Partner Central.
+ **Action groups:** `ReadOnly`, `ReadWrite`
+ **Required resources:** `arn:${Partition}:partnercentral::${Account}:catalog/${Catalog}/ReportingData/${TableId}/Dashboard/${DashboardId}`
+ **Condition keys:** `partnercentral:Catalog`
### CreateBusinessPlan
`CreateBusinessPlan` provides access to create business plans in AWS Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### PutBusinessPlan
`PutBusinessPlan` provides access to update business plans in AWS Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### ListBusinessPlans
`ListBusinessPlans` provides access to list business plans in AWS Partner Central.
+ **Action groups:** `ListOnly`, `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### GetBusinessPlan
`GetBusinessPlan` provides access to retrieve business plan details in AWS Partner Central.
+ **Action groups:** `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### CreateCollaborationChannelRequest
`CreateCollaborationChannelRequest` provides access to create collaboration channel requests in AWS Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### ListCollaborationChannels
`ListCollaborationChannels` provides access to list collaboration channels in AWS Partner Central.
+ **Action groups:** `ListOnly`, `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### GetCollaborationChannel
`GetCollaborationChannel` provides access to retrieve collaboration channel details in AWS Partner Central.
+ **Action groups:** `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### CreateCollaborationChannelMembers
`CreateCollaborationChannelMembers` provides access to create collaboration channel members in AWS Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### SearchPartnerProfiles
`SearchPartnerProfiles` provides access to search public partner profiles in AWS Partner Central.
+ **Action groups:** `ListOnly`, `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### GetPartnerProfile
`GetPartnerProfile` provides access to retrieve public partner profile details in AWS Partner Central.
+ **Action groups:** `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### GetProgramManagementAccount
`GetProgramManagementAccount` provides access to retrieve program management account details in AWS Partner Central.
+ **Action groups:** `ReadOnly`, `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
+ **Condition keys:** `partnercentral:Catalog`
### UseSession
`UseSession` provides access to use Partner Central agents sessions in AWS Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
+ **Condition keys:** `partnercentral:Catalog`
## Condition keys for AWS Partner Central
AWS Partner Central defines the following condition keys that you can use in the `Condition` element of an IAM policy.
### partnercentral:Catalog
Filters access by a specific Catalog.
+ **Type:** `String`
**Valid values:** `[AWS | Sandbox]`
### partnercentral:RelatedEntityType
Filters access by entity types for Opportunity association.
+ **Type:** `String`
**Valid values:** `[Solutions | AwsProducts | AwsMarketplaceOffers]`
### partnercentral:ChannelHandshakeType
Filters access by channel handshake types.
+ **Type:** `String`
**Valid values:** `[START_SERVICE_PERIOD | REVOKE_SERVICE_PERIOD | PROGRAM_MANAGEMENT_ACCOUNT]`
### partnercentral:VerificationType
Filters access by the type of verification being performed.
+ **Type:** `String`
**Valid values:** `[BUSINESS_VERIFICATION | REGISTRANT_VERIFICATION]`
### partnercentral:FulfillmentTypes
Filters access by benefit fulfillment types.
+ **Type:** `ArrayOfString`
**Valid values:** `[CREDITS | CASH | ACCESS]`
### partnercentral:Programs
Filters access by program.
+ **Type:** `ArrayOfString`
# Controlling access in AWS Partner Central account management
[AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) is an AWS service you can use at no additional charge that helps you control access to AWS resources. AWS Partner Central account management uses IAM for AWS Partner Central authentication and authorization. Administrators can use IAM roles to control who can sign in to AWS Partner Central and what AWS Partner Central permissions they have.
**Important**
AWS Partner Central users that you create authenticate using their credentials. However, they must use the same AWS account. Any change a user makes can impact the entire account.
For more information about available actions, resources, and condition keys, refer to [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
**Topics**
+ [Permissions for AWS Partner Central account management](#account-management-permissions)
+ [Condition keys for AWS Partner Central account management](#condition-keys)
+ [Additional resources](#additional-resources)
## Permissions for AWS Partner Central account management
You can use the following permissions in IAM policies for AWS Partner Central account management. You can combine permissions into a single IAM policy to grant the permissions you want.
### AssociatePartnerAccount
`AssociatePartnerAccount` provides access to associate AWS Partner Central and AWS accounts.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### AssociatePartnerUser
`AssociatePartnerUser` provides access to associate AWS Partner Central users and IAM roles.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### DisassociatePartnerUser
`DisassociatePartnerUser` provides access to associate AWS Partner Central users and IAM roles.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
### AccessLegacyPartnerCentral
`AccessLegacyPartnerCentral` provides access to Single Sign-On from AWS Partner Central into Legacy Partner Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
+ **Condition keys:** `partnercentral-account-management:LegacyPartnerCentralRole`
### AccessMarketingCentral
`AccessMarketingCentral` provides access to Single Sign-On from AWS Partner Central into Marketing Central.
+ **Action groups:** `ReadWrite`
+ **Required resources:** Does not support specifying a resource Amazon Resource Number (ARN) in the `Resource` element of an IAM policy statement. To allow access, specify `"Resource": "*"` in your policy.
+ **Condition keys:** `partnercentral-account-management:MarketingCentralRole`
## Condition keys for AWS Partner Central account management
AWS Partner Central account management defines the following condition keys that you can use in the `Condition` element of an IAM policy.
### partnercentral-account-management:LegacyPartnerCentralRole
Filters access by the Legacy Partner Central role. Accepted values: [AceManager, TechnicalStaff, ChannelUser, MarketingStaff].
+ **Type:** `ArrayOfString`
### partnercentral-account-management:MarketingCentralRole
Filters access by Marketing Central role. Accepted values: [portal-manager, marketing-staff, sales-representative].
+ **Type:** `ArrayOfString`
## Additional resources
Refer to the following sections of the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/) for more information:
+ [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+ [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html#create-managed-policy-console)
+ [Attaching a policy to an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html)
+ [IAM identities (users, user groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html)
+ [Controlling access to AWS resources using policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html)
# AWS managed policies for AWS Partner Central users
An AWS managed policy is a standalone policy created and administered by AWS. AWS managed policies provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) specific to your use cases. For more information, refer to [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies).
The AWS managed policies described in this section manage AWS Partner Central users' access to AWS Marketplace. For more information about AWS Marketplace seller policies, refer to [AWS managed policies for AWS Marketplace sellers](https://docs.aws.amazon.com/marketplace/latest/userguide/security-iam-awsmanpol.html).
**Topics**
+ [AWS managed policy: `AWSPartnerCentralFullAccess`](#security-iam-awsmanpol-AWSPartnerCentralFullAccess)
+ [AWS managed policy: `PartnerCentralAccountManagementUserRoleAssociation`](#user-role-association)
+ [AWS managed policy: `AWSPartnerCentralOpportunityManagement`](#security-iam-awsmanpol-AWSPartnerCentralOpportunityManagement)
+ [AWS managed policy: `AWSPartnerCentralSandboxFullAccess`](#security-iam-awsmanpol-AWSPartnerCentralSandboxFullAccess)
+ [AWS managed policy: `AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy`](#security-iam-awsmanpol-AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy)
+ [AWS managed policy: `AWSPartnerCentralChannelManagement`](#security-iam-awsmanpol-AWSPartnerCentralChannelManagement)
+ [AWS managed policy: `AWSPartnerCentralChannelHandshakeApprovalManagement`](#security-iam-awsmanpol-AWSPartnerCentralChannelHandshakeApprovalManagement)
+ [AWS managed policy: `AWSPartnerCentralMarketingManagement`](#security-iam-awsmanpol-AWSPartnerCentralMarketingManagement)
+ [AWS managed policy: `PartnerCentralIncentiveBenefitManagement`](#security-iam-awsmanpol-PartnerCentralIncentiveBenefitManagement)
+ [AWS managed policy: `AWSPartnerProServeToolsFullAccess`](#security-iam-awsmanpol-AWSPartnerProServeToolsFullAccess)
+ [AWS managed policy: `AWSPartnerProServeToolsOrganizationReaderIndividualContributor`](#security-iam-awsmanpol-AWSPartnerProServeToolsOrganizationReaderIndividualContributor)
+ [AWS managed policy: `AWSPartnerProServeToolsIndividualContributor`](#security-iam-awsmanpol-AWSPartnerProServeToolsIndividualContributor)
+ [AWS Partner Central updates to AWS managed policies](#security-iam-awsmanpol-updates)
## AWS managed policy: `AWSPartnerCentralFullAccess`
You can attach the `AWSPartnerCentralFullAccess` policy to your IAM identities.
This policy grants full access to AWS Partner Central and related AWS services.
To view the permissions for this policy, see [AWSPartnerCentralFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `PartnerCentralAccountManagementUserRoleAssociation`
You can attach the `PartnerCentralAccountManagementUserRoleAssociation` policy to your IAM identities. This policy is used by a partner cloud admin to manage IAM roles linked to partner users.
This policy allows the following operations:
+ List all roles.
+ Pass an IAM role with the name prefix `PartnerCentralRoleFor` to the AWS Partner Central account management service.
+ Associate a AWS Partner Central user with an IAM role.
+ Disassociate a AWS Partner Central user from an IAM role.
To view the permissions for this policy, see [PartnerCentralAccountManagementUserRoleAssociation](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/PartnerCentralAccountManagementUserRoleAssociation.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerCentralOpportunityManagement`
You can attach the `AWSPartnerCentralOpportunityManagement` policy to your IAM identities.
This policy grants full access to manage opportunities in AWS Partner Central.
To view the permissions for this policy, see [AWSPartnerCentralOpportunityManagement](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralOpportunityManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerCentralSandboxFullAccess`
You can attach the `AWSPartnerCentralSandboxFullAccess` policy to your IAM identities.
This policy grants access for developer testing in the Sandbox catalog.
To view the permissions for this policy, see [AWSPartnerCentralSandboxFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralSandboxFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy`
You can attach the `AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy` policy to your IAM identities.
This policy provides the ResourceSnapshotJob with permission to read a resource and snapshot it in the target environment. For more information on how to use this policy, see [Working with multi-partner opportunities](https://docs.aws.amazon.com/partner-central/latest/APIReference/working-with-multi-partner-opportunities.html#creating-custom-policy-resourcesnapshotjobrole) in the *AWS Partner Central API Reference*.
To view the permissions for this policy, see [AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerCentralChannelManagement`
You can attach the `AWSPartnerCentralChannelManagement` policy to your IAM identities.
This policy grants access to manage channel programs and relationships in AWS Partner Central.
To view the permissions for this policy, see [AWSPartnerCentralChannelManagement](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralChannelManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerCentralChannelHandshakeApprovalManagement`
You can attach the `AWSPartnerCentralChannelHandshakeApprovalManagement` policy to your IAM identities.
This policy grants access to channel handshake approval management activities in AWS Partner Central.
To view the permissions for this policy, see [AWSPartnerCentralChannelHandshakeApprovalManagement](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralChannelHandshakeApprovalManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerCentralMarketingManagement`
You can attach the `AWSPartnerCentralMarketingManagement` policy to your IAM identities.
This policy grants access to manage marketing activities and campaigns in AWS Partner Central.
To view the permissions for this policy, see [AWSPartnerCentralMarketingManagement](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerCentralMarketingManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `PartnerCentralIncentiveBenefitManagement`
You can attach the `PartnerCentralIncentiveBenefitManagement` policy to your IAM identities.
This policy grants access to manage all the incentive benefits in AWS Partner Central.
To view the permissions for this policy, see [PartnerCentralIncentiveBenefitManagement](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/PartnerCentralIncentiveBenefitManagement.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerProServeToolsFullAccess`
You can attach the `AWSPartnerProServeToolsFullAccess` policy to your IAM identities.
This policy grants full access to AWS ProServe Tools (A2T and MPA) via AWS Partner Central Single Sign-On. It includes all assessment roles — individual contributor, organization reader, organization contributor, and organization admin — enabling complete access to create, read, update, and share assessments across the organization, as well as manage organization-level settings.
**Roles granted:**
+ AssessmentIndividualContributor
+ AssessmentOrganizationReader
+ AssessmentOrganizationContributor
+ OrganizationAdmin
To view the permissions for this policy, see [AWSPartnerProServeToolsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerProServeToolsFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerProServeToolsOrganizationReaderIndividualContributor`
You can attach the `AWSPartnerProServeToolsOrganizationReaderIndividualContributor` policy to your IAM identities.
This policy grants read access to all organizational assessments in A2T, combined with the ability to create and manage the user's own assessments in both A2T and MPA. It is intended for users who need visibility into team assessments while retaining the ability to manage their own work.
**Note**
MPA does not support read-only mode. Users assigned this policy will retain read/write access to their own MPA assessments.
**Roles granted:**
+ AssessmentIndividualContributor
+ AssessmentOrganizationReader
To view the permissions for this policy, see [AWSPartnerProServeToolsOrganizationReaderIndividualContributor](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerProServeToolsOrganizationReaderIndividualContributor.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: `AWSPartnerProServeToolsIndividualContributor`
You can attach the `AWSPartnerProServeToolsIndividualContributor` policy to your IAM identities.
This policy grants the minimum permissions required to access AWS ProServe Tools via AWS Partner Central Single Sign-On. Users can create, read, update, and share their own assessments in both A2T and MPA. Access is scoped to assessments created by the user's own IAM identity (role or user ARN).
**Roles granted:**
+ AssessmentIndividualContributor
To view the permissions for this policy, see [AWSPartnerProServeToolsIndividualContributor](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPartnerProServeToolsIndividualContributor.html) in the *AWS Managed Policy Reference*.
## AWS Partner Central updates to AWS managed policies
View details about updates to AWS managed policies for AWS Partner Central since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the AWS Partner Central [Document history for the AWS Partner Central Getting Started Guide](doc-history.md) page.
| Change | Description | Date |
| --- | --- | --- |
| [AWSPartnerProServeToolsFullAccess](#security-iam-awsmanpol-AWSPartnerProServeToolsFullAccess) — New policy | AWS Partner Central added a new policy to grant full access to AWS ProServe Tools (A2T and MPA) via AWS Partner Central Single Sign-On with all assessment roles. | March 23, 2026 |
| [AWSPartnerProServeToolsOrganizationReaderIndividualContributor](#security-iam-awsmanpol-AWSPartnerProServeToolsOrganizationReaderIndividualContributor) — New policy | AWS Partner Central added a new policy to grant read access to organizational assessments in A2T and manage own assessments in both A2T and MPA. | March 23, 2026 |
| [AWSPartnerProServeToolsIndividualContributor](#security-iam-awsmanpol-AWSPartnerProServeToolsIndividualContributor) — New policy | AWS Partner Central added a new policy to grant minimum permissions to access AWS ProServe Tools and manage own assessments. | March 23, 2026 |
| [PartnerCentralIncentiveBenefitManagement](#security-iam-awsmanpol-PartnerCentralIncentiveBenefitManagement) — Update to an existing policy | AWS Partner Central updated a policy to add Partner Central Agents session management capability through the Model Context Protocol. | March 13, 2026 |
| [AWSPartnerCentralOpportunityManagement](#security-iam-awsmanpol-AWSPartnerCentralOpportunityManagement) — Update to an existing policy | AWS Partner Central updated a policy to add Partner Central Agents session management capability through the Model Context Protocol. | March 13, 2026 |
| [AWSPartnerCentralSandboxFullAccess](#security-iam-awsmanpol-AWSPartnerCentralSandboxFullAccess) — Update to an existing policy | AWS Partner Central updated a policy to add Partner Central Agents session management capability through the Model Context Protocol. | March 13, 2026 |
| [AWSPartnerCentralFullAccess](#security-iam-awsmanpol-AWSPartnerCentralFullAccess) — Update to an existing policy | AWS Partner Central updated a policy to add Partner Central Agents session management capability through the Model Context Protocol. | March 13, 2026 |
| [AWSPartnerCentralOpportunityManagement](#security-iam-awsmanpol-AWSPartnerCentralOpportunityManagement) — Update to an existing policy | AWS Partner Central updated a policy to add Amazon Q permissions for Partner Assistant chatbot functionality. | February 23, 2026 |
| [AWSPartnerCentralChannelManagement](#security-iam-awsmanpol-AWSPartnerCentralChannelManagement) — Update to an existing policy | AWS Partner Central updated a policy to add Amazon Q permissions for Partner Assistant chatbot functionality. | February 23, 2026 |
| [AWSPartnerCentralMarketingManagement](#security-iam-awsmanpol-AWSPartnerCentralMarketingManagement) — Update to an existing policy | AWS Partner Central updated a policy to add Amazon Q permissions for Partner Assistant chatbot functionality. | February 23, 2026 |
| [PartnerCentralIncentiveBenefitManagement](#security-iam-awsmanpol-PartnerCentralIncentiveBenefitManagement) — New policy | AWS Partner Central added a new policy to grant access to all the incentive benefits functionality. | February 11, 2026 |
| [AWSPartnerCentralFullAccess](#security-iam-awsmanpol-AWSPartnerCentralFullAccess) — Update to an existing policy | AWS Partner Central updated a policy to add Amazon Q permissions for Partner Assistant chatbot functionality and to add AWS Marketplace Agreements read access for MPOPP benefits functionality. | February 4, 2026 |
| [AWSPartnerCentralMarketingManagement](#security-iam-awsmanpol-AWSPartnerCentralMarketingManagement) — New policy | AWS Partner Central added a new policy to grant access to manage partner central marketing and campaigns. | November 30, 2025 |
| [AWSPartnerCentralFullAccess](#security-iam-awsmanpol-AWSPartnerCentralFullAccess) — Update to an existing policy | AWS Partner Central updated a policy to add legacy Partner Central access, put files into S3, and get AWS Marketplace entities. | November 30, 2025 |
| [AWSPartnerCentralOpportunityManagement](#security-iam-awsmanpol-AWSPartnerCentralOpportunityManagement) — Update to an existing policy | AWS Partner Central updated a policy to add engagement context access, opportunity from engagement task access, and legacy Partner Central access, get dashboard, collaboration channel access, get partner, and tag opportunity and resource snapshot jobs. | November 30, 2025 |
| [AWSPartnerCentralChannelManagement](#security-iam-awsmanpol-AWSPartnerCentralChannelManagement) — Update to an existing policy | AWS Partner Central updated a policy to add legacy Partner Central access, get dashboard, and get partner. | November 30, 2025 |
| [AWSPartnerCentralFullAccess](#security-iam-awsmanpol-AWSPartnerCentralFullAccess) — Update to an existing policy | AWS Partner Central updated a policy to add Channel billing transfer role access. | November 19, 2025 |
| [AWSPartnerCentralChannelManagement](#security-iam-awsmanpol-AWSPartnerCentralChannelManagement) — New policy | AWS Partner Central added a new policy to grant access to manage channel management activities. | November 19, 2025 |
| [AWSPartnerCentralChannelHandshakeApprovalManagement](#security-iam-awsmanpol-AWSPartnerCentralChannelHandshakeApprovalManagement) — New policy | AWS Partner Central added a new policy to grant access to channel handshake approval management activities. | November 19, 2025 |
| [AWSPartnerCentralFullAccess](#security-iam-awsmanpol-AWSPartnerCentralFullAccess) — Update to an existing policy | AWS Partner Central updated a policy. | December 4, 2024 |
| [AWSPartnerCentralOpportunityManagement](#security-iam-awsmanpol-AWSPartnerCentralOpportunityManagement) — Update to an existing policy | AWS Partner Central updated a policy. | December 4, 2024 |
| [AWSPartnerCentralSandboxFullAccess](#security-iam-awsmanpol-AWSPartnerCentralSandboxFullAccess) — Update to an existing policy | AWS Partner Central updated a policy. | December 4, 2024 |
| [AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy](#security-iam-awsmanpol-AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy) — New policy | AWS Partner Central added a new policy to grant access to read resources and create snapshots. | December 4, 2024 |
| [AWSPartnerCentralFullAccess](#security-iam-awsmanpol-AWSPartnerCentralFullAccess) – New policy | AWS Partner Central added a new policy to grant full access to the AWS Partner Central service. | November 18, 2024 |
| [AWSPartnerCentralOpportunityManagement](#security-iam-awsmanpol-AWSPartnerCentralOpportunityManagement) — New policy | AWS Partner Central added a new policy to grant full access to manage opportunities in AWS Partner Central. | November 14, 2024 |
| [AWSPartnerCentralSandboxFullAccess](#security-iam-awsmanpol-AWSPartnerCentralSandboxFullAccess) — New policy | AWS Partner Central added a new policy to grant access for developer testing in the Sandbox catalog. | November 14, 2024 |
| AWS Partner Central started tracking changes | AWS Partner Central started tracking changes for its AWS managed policies. | November 14, 2024 |
# Mapping Partner Central Users to Managed Policies
## Understanding Partner Central Personas and Policy Mapping
Each persona represents a distinct role within your partner organization with specific access needs to AWS Partner Central features. Match your users to these personas to assign the appropriate managed policy that grants necessary permissions while maintaining security best practices.
**Important**
All managed policies below grant users access to Amazon Q, an AI-powered assistant providing real-time support and guidance within AWS Partner Central. For more information on Amazon Q, see [here](https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/what-is.html).
## Common AWS Partner Central User Personas
| User persona | Persona Description | Recommended Partner Central Managed policies | Partner Central responsibilities |
| --- | --- | --- | --- |
| IAM Administrator | This individual typically sits in IT Security, Information Security, or Governance/Compliance teams, but this varies by organization. They should have administrator access to the AWS account used to access AWS Partner Central. | This individual should have administrator rights within the AWS account in order to provision users' IAM permissions | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Alliance Lead (Head of AWS Partnership, Director of Cloud Alliances) | Owns the AWS relationship and is responsible for driving growth of the AWS partnership through program alignment, co-sell readiness and cross-functional execution | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) These policies combined provision these users with full read and write access to all features in AWS Partner Central. For a detailed breakdown of what this policy contains, see [here](https://docs.aws.amazon.com/partner-central/latest/getting-started/security-iam-awsmanpol.html). | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Program Coordinator (Partner Operations Manager, Alliance Team Member, APN Program Administrator) | Collaborates closely with Alliance Lead to distribute oversight responsibilities by supporting tracking of requirements, management of submissions and ensuring compliance. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) These users are essentially an extension of the Alliance Lead and require similar permissions. These policies combined provisions these users with full read and write access to all features in AWS Partner Central. For a detailed breakdown of what this policy contains, see [here](https://docs.aws.amazon.com/partner-central/latest/getting-started/security-iam-awsmanpol.html). | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Marketing Manager (Partner Marketing Manager, Channel Marketing Lead) | The Marketing Manager builds awareness and drives demand for AWS-aligned offerings. They develop campaigns, create content, and apply for joint marketing programs. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Sales Manager (Account Manager, Account Executive, Business Development Manager) | Accelerate revenue by sourcing, registering and closing AWS-related deals in collaboration with AWS field teams. | `AWSPartnerCentralOpportunityManagement` This policy grants users the ability to view and edit the entire pipeline of opportunities within your AWS Partner Central account. This policy is designed for team members who are actively working on partner opportunities and need access to opportunity management features, but don't require access to all Partner Central capabilities. This policy also provides access to other general purpose features, like the ability to access partner documentation, contact support, and track progress with the Scorecard. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Integration Engineer/Developer | Technical user supporting the partner alliances team with building and maintaining CRM integrations connecting partner systems to AWS Partner Central APIs | AWSFullAccessSandboxFullAccess | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Technical Lead | The Technical Lead is the engineer or architect who ensures their organization's solutions meet AWS technical standards and program requirements. They design and implement scalable cloud architectures, provide technical guidance across teams, and optimize solutions for performance, security, and cost. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Funding Program Manager | The Funding Program Manager owns financial operations tied to AWS—tracking revenue, reconciling payments, and managing funding audits and reporting. | `PartnerCentralIncentiveBenefitManagement` This policy provides access to manage incentive and benefit programs within AWS Partner Central. | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
## AWS ProServe Tools Access
For services partners supporting customer migrations and who want access to the AWS Assessment Tools (outside of AWS Partner Central), users must be assigned one of three managed policies to be provisioned access. These tools include:
+ **Migration Portfolio Assessment (MPA)**: A tool that helps partners and customers evaluate, plan, and prioritize workloads for migration to AWS. MPA enables partners to build a business case for migration, analyze the current application portfolio, estimate costs, and identify the right migration strategy for each workload. It provides data-driven insights to accelerate migration planning and reduce risk.
+ **Assessment Tools (A2T)**: A suite of customer-facing survey and assessment tools, including the Migration Readiness Assessment (MRA) — a structured evaluation that measures a customer's readiness to migrate to AWS across six dimensions of the AWS Cloud Adoption Framework. A2T assessments help partners identify gaps, build remediation plans, and demonstrate migration readiness to AWS and the customer.
Access is controlled through three AWS managed policies, each mapped to a specific user persona. Use the table below to determine the level of access each individual requires:
| User persona | Persona Description | Recommended Partner Central Managed policies | AWS Assessment Tools functionality |
| --- | --- | --- | --- |
| Individual Contributor | This individual creates and manages their own assessments in A2T and MPA. This is the base-level role required for all assessment activity. | AWSPartnerProServeToolsIndividualContributor | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Organization Reader and Individual Contributor | This individual requires visibility into all assessments across the organization, while also managing their own. This persona is common for team leads or senior practitioners who need to review historical or peer assessments without editing them. | AWSPartnerProServeToolsOrganizationReaderIndividualContributor | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
| Organization Contributor (Full Assessment Access) | This individual requires full read/write access to all assessments in the organization. This persona is suited for senior practitioners or delivery leads who need to edit, delete, or share assessments created by any user in the organization, including historical assessments. | AWSPartnerProServeToolsFullAccess | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policy-mappings.html) |
For more information about IAM managed policies, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html). For information about attaching policies to users and groups, see [Attaching a policy to an IAM user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html).
# User Management FAQs
## Who in my organization is the IAM Administrator, and how do I contact them?
IAM Administrators typically sit within IT Security or Information Security departments, and sometimes in dedicated IAM teams or Governance/Compliance orgs. These Admins are generally responsible for implementing IAM policies, configuring SSO solutions, handling compliance reviews, and maintaining role-based access control structures.
## What are the managed policy options for Partner Central in the AWS Consoles?
Refer to [AWS managed policies for AWS Partner Central users](https://docs.aws.amazon.com/partner-central/latest/getting-started/managed-policies.html) for the most up-to-date documentation.
## If I am unable to log in to my Partner Central account in the AWS Console, who do I contact?
Whether your organization uses an IdP, [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) without an IdP, or [AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) console to manage AWS Partner Central access, your IAM Admin or IT department can help you with restoring access. AWS does not manage AWS account permissions.