# Account template creation - Permissions

Using Permissions, you can configure what the end users can and cannot do in their accounts.

<p class="callout info">Sandbox Studio uses IAM Identity Center Permissions Sets for permissions. You can see more details explaining each of the sections of this page at https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html</p>


##### Default permissions

By default, "Administrator Access" is provided to end users.

<p class="callout warning">Service Control Policies (SCP) are still applied on the accounts and even with Administrator access, some resources and actions may be blocked by your Administrators.</p>

<span class="s1">If the default configuration suits your needs, proceed to the next step [Account template creation - Roles &amp; Access](https://docs.sandboxstudiosoftware.com/books/manager-guide/page/account-template-creation-roles-access "Account template creation - Roles & Access")</span>

##### Customise permissions

For more granular permissions configuration, you can customise the permissions you provide to the end users by selecting **No, I want to customise permissions:**

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/ZULimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/ZULimage.png)

The following sections can be configured:

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/okpimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/okpimage.png)

1. **AWS Managed Policies**

By default, the Administrator Access policy is applied but you can select one or more policies from the list of AWS Managed policies. More details here about AWS Managed policies: [https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html)

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/R6wimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/R6wimage.png)

2. **Customer Managed Policies**

If you have pre-defined policies you manage, you can use them here. [More details about Customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies)

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/DYWimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/DYWimage.png)

3. **Inline policy**

Finally, you can use inline policy (define the access directly in the section). [More details about inline policies.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies)

Example:

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/CS8image.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/CS8image.png)

##### Permission Boundary:

Finally, and following the same principles as previous options, you have the option to include **Permission boundaries.** [More details about Permission boundaries.](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/pkrimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/pkrimage.png)

<p class="callout warning">Note: Permission boundaries can only be "AWS managed policy" OR "Customer managed policy" (Not both). In addition, you can only select **ONE** policy to apply.</p>

Having completed all the fields on the **Permissions** page as needed, click on **Next** to move to [Account template creation - Roles &amp; Access](https://docs.sandboxstudiosoftware.com/books/manager-guide/page/account-template-creation-roles-access "Account template creation - Roles & Access")

#### Example:

This example restricts users to only basic EC2 actions:

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/scaled-1680-/q2wimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2026-04/q2wimage.png)