PermissionSets from master account not visible when TEAM application deployed in delegated-admin account

[topfblumen]

I'm encountering an issue with permission set visibility in the TEAM application when deployed in a delegated admin account while managing IAM Identity Center PermissionSets from the master account.

---

Setup

• IAM Identity Center (IDC) is configured in the master account and delegates to my delegated-admin account
• TEAM application is deployed in a delegated admin account
• Permission sets are created and managed from the master account

Issue

The current logic in index.py (lines 119-126) appears to intentionally exclude permission sets from the master account when the application runs from a delegated admin account:

def handler(event, context):
    print(event)
    id = event['id']
    permissions = []
    mgmt_ps = get_mgmt_ps()
    deployed_in_mgmt = True if ACCOUNT_ID == mgmt_account_id else False
    try:
        p = client.get_paginator('list_permission_sets')
        paginator = p.paginate(InstanceArn=sso_instance['InstanceArn'])

        for page in paginator:
            for permission in page['PermissionSets']:
                if not deployed_in_mgmt:
                    if permission not in mgmt_ps:
                        permissions.append(getPS(permission))
                else:
                    permissions.append(getPS(permission))
        permissions =  sorted(permissions, key=itemgetter('Name')) 
        
        result = {
            'id': id,
            'permissions': permissions
        }    
        print(result)    
        return publishPermissions(result) 
    except ClientError as e:
        print(e.response['Error']['Message'])

Expected Behavior

Since I'm managing all permission sets from the master account, I would expect the TEAM application to display all permission sets, regardless of whether it's deployed in the master account or delegated admin account.

Questions

1. Is this filtering behavior intentional?
2. What's the reasoning behind excluding master account permission sets when running from a delegated admin account?
3. Should there be a configuration option to include/exclude master account permission sets?

---

Would appreciate clarification on whether this is the intended behavior or if there's a recommended approach for this setup.

[omeganon]

Hi!

I came across this post when trying to understand why some permission sets were not visible for assignment in Eligibility Policies in the delegated account. It makes sense to me now and I hope this helps --

This is an intentional decision. The reason that these permission sets are not assignable or modifiable is because they are in use to grant access to the master account itself to some user or group. If the delegated account were allowed to modify and assign those permission sets, they could grant themselves complete and full access to the master account via that delegation of Identity Center.

The workaround is to create copies of those policies that can then be managed and assigned via the delegated account, to every other account in the Organization except the master Identity Center account.