CCMM Subscription Access Group Automation creates customer access groups during CCMM subscription (via CCMM Broker or subscription flow) and assigns predefined IAM roles to those groups.

This feature standardizes role-based access control for CCMM workflows during subscription and ensures CCMM personas receive appropriate permissions without manual IAM configuration.

When a customer subscribes to CCMM, the system automatically:

Creates required customer access groups
Maps each access group to the correct CCMM IAM role
Enables the groups for use by Workflow Service (workflowsvc)

Supported personas and roles are as follows:

CCMM Persona	IAM Role	Access Group
Owner	CCMMEvidenceControlOwner	Ccmm_Evidence_Control_Owner
Approver	CCMMEvidenceApprover	Ccmm_Evidence_Approver
Reviewer	CCMMEvidenceReviewer	Ccmm_Evidence_Reviewer
Support Admin	CCMMSupportAdmin	Ccmm_Support_Admin
Administrator	CCMMAdmin	Ccmm_Administrator
Viewer	CCMMViewer	Ccmm_Viewer

Are access groups created automatically?

Yes. Access groups are automatically created during the CCMM subscription process and mapped to the corresponding IAM roles.

Existing subscriptions are not automatically updated. If new access groups are required, users must unsubscribe and resubscribe to CCMM for the updated configuration to reflect.

The application team is responsible for creating IAM roles and defining associated permissions.

Once assigned, IAM roles are inherited by users added to the respective access groups. The Workflow Service (workflowsvc) uses these roles to execute CCMM workflows based on assigned permissions.

No manual configuration is required for new subscriptions. Access group creation and role assignments are handled automatically during the subscription process.