> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maildiver.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 3: Manage your account

> Create an organization and an account

One of the use cases of the root account is to create the organization, environment, users, and permissions. Then we will use the user to continue with the rest of the documentation and not use the root account anymore.

## 1. Create an organization and an account

Go to [AWS Organization](https://us-east-1.console.aws.amazon.com/organizations/v2/home?region=us-east-1) in the AWS console to create an organization. It's not region specific, so all the regions are disabled and shown as **global**. AWS organization is used to manage the accounts. We will create an account for deployment.

<Note>
  If you have bought a gold edition of MailDiver, it means that you have access
  to the source code. If you want to develop new features, it's better to create
  another account - dev account to safely experiment with the code.
</Note>

a. Click **Create an organization** button.

b. After it's created. Click the **Add account** button.

c. Fill in the fields. Leave the IAM role name as default - `OrganizationAccountAccessRole`. Click **Create** button.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/add-account.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=a6411df053e70bf56a955b1f839b0c52" alt="create-account" width="1734" height="894" data-path="images/add-account.png" />

## 2. Create permission sets

Now we will create permission sets. Go to [IAM identity center](https://us-east-1.console.aws.amazon.com/singlesignon/home/) in the AWS console.

a. Choose a region. In AWS, The services typically are region specific. It's essential to choose the correct region before creating any resources. You should decide which region you want to use. Generally, you should select the region geographically close to you or your users. If your users are globally distributed, don't worry. We use AWS CloudFront to cache the content (APIs, assets, frontend app, etc.) and serve it from the nearest edge location for both frontend and backend infrastructure.

b. Click the **Enable** button.

c. On the left side, click the **Permission sets** button under the Multi-account permissions section, then click **Create permission set**.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/permission-sets.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=557bd87124515f3a0957ffe7b0d5639a" alt="permission-sets" width="2276" height="1122" data-path="images/permission-sets.png" />

d. We will create two predefined permission sets: `AdministratorAccess` and `ReadOnlyAccess`. First, let's create `AdministratorAccess`. Choose default **Predefined permission set**.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/create-predefined-permission-set.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=57046f76a230b5d95b200a89d77420e8" alt="create-predefined-permission-set" width="2272" height="1166" data-path="images/create-predefined-permission-set.png" />

e. In step 2, Keep `AdministratorAccess` as default. Add a description if you want. For session duration, choose how often you want to re-login. Click the **Next** button, review, then click the **Create** button.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/permission-sets-step-2.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=af22663d315b7d0a7e9e9f6b2c64d492" alt="permission-sets-step-2" width="2048" height="1166" data-path="images/permission-sets-step-2.png" />

f. Repeat the same steps for the `ReadOnlyAccess` permission set. You should have two permission sets: `AdministratorAccess` and `ReadOnlyAccess`.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/two-permission-sets.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=67d83c1843d55bac9683e33107897ac2" alt="two-permission-sets" width="2352" height="812" data-path="images/two-permission-sets.png" />

## 3. Create a group and a user

Lastly, we need to create a group and a user. Groups are convenient for managing multiple users. For example, Instead of assigning permissions one by one for the users, you can assign the permissions to the group, and all users in the group will have the same permission sets.

a. On the left side, click **Groups** and then click the **Create group** button.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/create-group.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=fbc54e415e9ff551fcded8453b8e4a07" alt="create-group" width="2846" height="812" data-path="images/create-group.png" />

b. Enter a group name `FullAccessGroup`. Feel free to add any descriptive name you want. Skip creating a user in this step. Click the **Create group** button.

c. On the left side, click **Users** and then click the **Add user** button. You will use this user for deployment. You will be asked to create a password and log in with the username. I'll use `sudo` since it's my cat's name. Choose `Send an email to this user with password setup instructions.` for the password.
Enter your email address and full name. You can either leave the rest of the fields as default or fill them in. Click the **Next** button.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/user-step-1.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=4f8cbefec7f013b375581a205814941e" alt="user-step-1" width="1880" height="1190" data-path="images/user-step-1.png" />

d. Select the group we created earlier, `FullAccessGroup` and click the **Next** button. Review and click the **Add user** button.

e. You will get an email from AWS with the login instructions. You will use this user to deploy MailDiver. Again, please avoid using the root account for day-to-day tasks.

## 4. The final step, add the user to the account.

As a final step, we must add the user to the account.

a. In [IAM identity center](https://us-east-1.console.aws.amazon.com/singlesignon/home/) page, click **AWS accounts** on the left side under the Multi-account permissions tab. Select the account and click the **Assign users or groups** button.

b. Select the group (not the user) we created earlier, `FullAccessGroup` and click the **Next** button.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/account-assign-group-step1.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=b08a556a2235b7cfde9d02409847e932" alt="account-assign-group-step1" width="1880" height="1190" data-path="images/account-assign-group-step1.png" />

c. In step 2, select the permission sets `AdministratorAccess` and `ReadOnlyAccess`. Click the **Next** button, review, and submit.

<img src="https://mintcdn.com/selfmailkit/flS_Fi6hXDlFtHex/images/account-assign-group-step2.png?fit=max&auto=format&n=flS_Fi6hXDlFtHex&q=85&s=73e6269379d81578124e35896f055990" alt="account-assign-group-step2" width="1880" height="1190" data-path="images/account-assign-group-step2.png" />

That's it! Everything is set up and ready to deploy MailDiver with one command!

<Note>
  If you need help to access for SES production access, please follow the steps below:

  [Request production access for SES](/self-hosted/how-to-deploy/aws-ses-production-access)
</Note>