If you have existing users setup using Amazon S3 profiles via IAM, in which they have been set specific permissions to access a bucket, for use with SME EFSS you will need to generate a keypair for each user.
To create a new secret access key for an IAM user, open the IAM console. Click Users in the Details pane, click the appropriate IAM user, and then click Create Access Key on the Security Credentials tab.
Once this is done using the SME Admin user account the S3 credentials you can enter an S3 account in which, as Admin, you can choose to share bucket(s), or alternatively (pseudo) folders to users, in which the permissions are managed by SME.
The SME system is permissive so once you have added an S3 cloud in this way, by default you would just convert or share a folder and thereafter add user permissions.
In this way you can use a single S3 Account to create access to common resources amongst users such as Marketing, Health and Safety, Archive, Project Docs etc.
However If you already have set IAM S3 profiles for users then via SME you can enable these users to add their own S3 provider that works with their IAM configured permissions.
This is done when logged in as the SME Admin via Organization Options. Within Options there is a governance tab in which there is a section that can be configured to give the user the permission to add a ‘private provider’. As Admin you can choose to limit this to an S3 Account or choose other accounts such as Google Drive, DropBox etc.
When the Admin has configured the private providers option, users on login, can navigate to their dashboard and choose to add S3 to their SME account with the individual IAM keypairs you had previously generated.
If you want to make the whole process even more intuitive, as the SME Admin, you can choose to add a widget to the user home page after login which instructs them how to do this.
This can be configured via the branding option and choosing to configure the custom home message.
On completion you have a system in which users have access to their own configured IAM buckets whilst also having access to corporate configured folders / buckets.