

本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 用於建立和管理 EMR Studio 的管理員許可
<a name="emr-studio-admin-permissions"></a>

本頁所述的 IAM 許可允許您建立和管理 EMR Studio。如需有關每個所需許可的詳細資訊，請參閱 [管理 EMR Studio 所需的許可](#emr-studio-admin-permissions-table)。

## 管理 EMR Studio 所需的許可
<a name="emr-studio-admin-permissions-table"></a>

下表列出了與建立和管理 EMR Studio 相關的操作。此資料表也會顯示每項操作所需的許可。

**注意**  
使用 IAM Identity Center 身分驗證模式時，只需要 IAM Identity Center 和 Studio `SessionMapping` 動作。


**用於建立和管理 EMR Studio 的許可**  

| 作業 | 許可 | 
| --- | --- | 
| 建立 Studio |  <pre>"elasticmapreduce:CreateStudio", <br />"sso:CreateApplication",<br />"sso:PutApplicationAuthenticationMethod",<br />"sso:PutApplicationGrant",<br />"sso:PutApplicationAccessScope",<br />"sso:PutApplicationAssignmentConfiguration",<br />"iam:PassRole"</pre>  | 
| 描述 Studio |  <pre>"elasticmapreduce:DescribeStudio",<br />"sso:GetManagedApplicationInstance"</pre>  | 
| 列出 Studio |  <pre>"elasticmapreduce:ListStudios"</pre>  | 
| 刪除 Studio |  <pre>"elasticmapreduce:DeleteStudio",<br />"sso:DeleteApplication",<br />"sso:DeleteApplicationAuthenticationMethod",<br />"sso:DeleteApplicationAccessScope",<br />"sso:DeleteApplicationGrant"</pre>  | 
| Additional permissions required when you use IAM Identity Center mode | 
|  將使用者或群組指派給 Studio  |  <pre>"elasticmapreduce:CreateStudioSessionMapping",<br />"sso:GetProfile",<br />"sso:ListDirectoryAssociations",<br />"sso:ListProfiles",<br />"sso:AssociateProfile",<br />"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:ListInstances",<br />"sso:CreateApplicationAssignment",<br />"sso:DescribeInstance",<br />"organizations:DescribeOrganization",<br />"organizations:ListDelegatedAdministrators",<br />"sso:CreateInstance",<br />"sso:DescribeRegisteredRegions",<br />"sso:GetSharedSsoConfiguration",<br />"iam:ListPolicies"</pre>  | 
|  擷取特定使用者或群組的 Studio 指派詳細資訊  |  <pre>"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:DescribeApplication",<br />"elasticmapreduce:GetStudioSessionMapping"</pre>  | 
| 列出指派給 Studio 的所有使用者和群組 |  <pre>"elasticmapreduce:ListStudioSessionMappings"</pre>  | 
| 更新附接至指派給 Studio 的使用者或群組的工作階段政策 |  <pre>"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:DescribeApplication",<br />"sso:DescribeInstance",<br />"elasticmapreduce:UpdateStudioSessionMapping"</pre>  | 
| 從 Studio 中移除使用者或群組 |  <pre>"elasticmapreduce:DeleteStudioSessionMapping",<br />"sso-directory:SearchUsers",<br />"sso-directory:SearchGroups",<br />"sso-directory:DescribeUser",<br />"sso-directory:DescribeGroup",<br />"sso:ListDirectoryAssociations",<br />"sso:GetProfile",<br />"sso:DescribeApplication",<br />"sso:DescribeInstance",<br />"sso:ListProfiles",<br />"sso:DisassociateProfile",<br />"sso:DeleteApplicationAssignment",<br />"sso:ListApplicationAssignments"<br /></pre>  | 

**若要建立具有 EMR Studio 管理員許可的政策**

1. 遵循[建立 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html)中的指示，使用下列其中一個範例來建立政策。您需要的許可取決於 [EMR Studio 的身分驗證模式](emr-studio-authentication.md)。

   為這些項目插入您自己的值：
   + 取代 *`<your-resource-ARN>`* 以指定陳述式針對您的使用案例所涵蓋物件的 Amazon Resource Name (ARN)。
   + 將 *<region>* 取代為您計劃在其中建立 Studio 的 AWS 區域 代碼。
   + 將 *<aws-account\$1id>* 取代為 Studio 的 AWS 帳戶 ID。
   + 將 *<EMRStudio-Service-Role>* 和 *<EMRStudio-User-Role>* 取代為 [EMR Studio 服務角色](emr-studio-service-role.md)和 [EMR Studio 使用者角色](emr-studio-user-permissions.md#emr-studio-create-user-role)的名稱。  
**Example 範例政策：使用 IAM 身分驗證模式時的管理員許可**  

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:elasticmapreduce:*:123456789012:studio/*"
         ],
         "Action": [
           "elasticmapreduce:CreateStudio",
           "elasticmapreduce:DescribeStudio",
           "elasticmapreduce:DeleteStudio"
         ],
         "Sid": "AllowELASTICMAPREDUCECreatestudio"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "*"
         ],
         "Action": [
           "elasticmapreduce:ListStudios"
         ],
         "Sid": "AllowELASTICMAPREDUCEListstudios"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:iam::123456789012:role/EMRStudioServiceRole"
         ],
         "Action": [
           "iam:PassRole"
         ],
         "Sid": "AllowIAMPassrole"
       }
     ]
   }
   ```

------  
**Example 範例政策：使用 IAM Identity Center 身分驗證模式時的管理員許可**  
**注意**  
Identity Center 和 Identity Center Directory API 不支援在 IAM 政策陳述式的資源元素中指定 ARN。若要允許存取 IAM Identity Center 和 IAM Identity Center Directory，下列許可能夠指定 IAM Identity Center 動作的所有資源 ("Resource":"\$1")。如需詳細資訊，請參閱[適用於 IAM Identity Center Directory 的動作、資源和條件索引鍵](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsssodirectory.html#awsssodirectory-actions-as-permissions)。

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:elasticmapreduce:*:123456789012:studio/*"
         ],
         "Action": [
           "elasticmapreduce:CreateStudio",
           "elasticmapreduce:DescribeStudio",
           "elasticmapreduce:DeleteStudio",
           "elasticmapreduce:CreateStudioSessionMapping",
           "elasticmapreduce:GetStudioSessionMapping",
           "elasticmapreduce:UpdateStudioSessionMapping",
           "elasticmapreduce:DeleteStudioSessionMapping"
         ],
         "Sid": "AllowELASTICMAPREDUCECreatestudio"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "*"
         ],
         "Action": [
           "elasticmapreduce:ListStudios",
           "elasticmapreduce:ListStudioSessionMappings"
         ],
         "Sid": "AllowELASTICMAPREDUCEListstudios"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "arn:aws:iam::123456789012:role/EMRStudio-SvcRole",
           "arn:aws:iam::123456789012:role/EMRStudio-User-Role"
         ],
         "Action": [
           "iam:PassRole"
         ],
         "Sid": "AllowIAMPassrole"
       },
       {
         "Effect": "Allow",
         "Resource": [
           "*"
         ],
         "Action": [
           "sso:CreateApplication",
           "sso:PutApplicationAuthenticationMethod",
           "sso:PutApplicationGrant",
           "sso:PutApplicationAccessScope",
           "sso:PutApplicationAssignmentConfiguration",
           "sso:DescribeApplication",
           "sso:DeleteApplication",
           "sso:DeleteApplicationAuthenticationMethod",
           "sso:DeleteApplicationAccessScope",
           "sso:DeleteApplicationGrant",
           "sso:ListInstances",
           "sso:CreateApplicationAssignment",
           "sso:DeleteApplicationAssignment",
           "sso:ListApplicationAssignments",
           "sso:DescribeInstance",
           "sso:AssociateProfile",
           "sso:DisassociateProfile",
           "sso:GetProfile",
           "sso:ListDirectoryAssociations",
           "sso:ListProfiles",
           "sso-directory:SearchUsers",
           "sso-directory:SearchGroups",
           "sso-directory:DescribeUser",
           "sso-directory:DescribeGroup",
           "organizations:DescribeOrganization",
           "organizations:ListDelegatedAdministrators",
           "sso:CreateInstance",
           "sso:DescribeRegisteredRegions",
           "sso:GetSharedSsoConfiguration",
           "iam:ListPolicies"
         ],
         "Sid": "AllowSSOCreateapplication"
       }
     ]
   }
   ```

------

1. 將政策附接至 IAM 身分 (使用者、角色或群組)。如需相關指示，請參閱[新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。