Ability to create Account Roles at the root-level without making them available at the sub-account level

Idea created by christine_mckeon@harvard.edu on May 1, 2017
    Open for Voting
    • Bradley Moser
    • Rob Ditto
    • David Downs
    • christine_mckeon@harvard.edu
    • Alexander Pho
    • Leonardo Santos
    • Pablo Mora

    Account Roles created at the root-account level automatically 'trickle down' to the sub-accounts and there is currently no way to prevent this from happening.


    It would be great to be able to create root-account level roles that are not available in the sub-accounts. For example, we have created a 'Masquerade' role, where the *only* enabled permission is to 'Become other users.' This permission is not available at the sub-account level, but the role trickles down anyway. This means that people can grant users sub-account admin roles that will not work as expected.



    Additionally, we have created other Account Roles that are only intended to be used at the root-level (such as Service Accounts, or fully permissioned Account Admins), so it is confusing for those roles to exist at the sub-account level as well.