These are Amazon Web Services SSO identity store attributes that you can configure for use in attributes-based access control (ABAC).
You can create permissions policies that determine who can access your Amazon Web Services resources based upon the configured attribute values.
When you enable ABAC and specify AccessControlAttributes, Amazon Web Services SSO passes the attribute values of the authenticated user into IAM for use in policy evaluation.
A set of key-value pairs that are used to manage the resource.
Tags can only be applied to permission sets and cannot be applied to corresponding roles that Amazon Web Services SSO creates in Amazon Web Services accounts.