# Delegate permission set administration


IAM Identity Center enables you to delegate management of permission sets and assignments in accounts by creating [IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) that reference the [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) of IAM Identity Center resources. For example, you can create policies that enable different administrators to manage assignments in specified accounts for permission sets with specific tags.

**Note**  
To use permission sets, you'll need to use an Organization instance of IAM Identity Center. For more information, see [Organization and account instances of IAM Identity Center](identity-center-instances.md).

You can use either of the following methods to create these types of policies.
+ (Recommended) Create [permission sets](permissionsets.md) in IAM Identity Center, each with a different policy, and assign the permission sets to different users or groups. This enables you to manage administrative permissions for users who sign in using your chosen [IAM Identity Center identity source](manage-your-identity-source.md). 
+ Create custom policies in IAM, and then attach them to IAM roles that your administrators assume. For information about roles, see [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) to get their assigned IAM Identity Center administrative permissions.

**Important**  
IAM Identity Center resource ARNs are case sensitive. 

The following shows the proper case for referencing the IAM Identity Center permission set and account resource types.


| Resource Types | ARN | Context Keys | 
| --- | --- | --- | 
| PermissionSet | arn:\$1\$1Partition\$1:sso:::permissionSet/\$1\$1InstanceId\$1/\$1\$1PermissionSetId\$1 | aws:ResourceTag/\$1\$1TagKey\$1 | 
| Account | arn:\$1\$1Partition\$1:sso:::account/\$1\$1AccountId\$1 | Not Applicable |