What is the purpose of using Service Control Policies and Permission Boundaries? Why not just setup maximum and effective permissions without using the SCP and boundaries?
In theory – you could setup permissions for individual identities or services, but SCP is about management delegation to individual organizations. In case of having multiple organizations, you (can) delegate the identity and role management to individual organization (or organization unit) administrators. In this case you may want to impose some organization-wide rules of your "child" organization accounts, e.g. prevent disable logging, prevent update of roles.
Ok, so is like a global restriction or allowance that is applied to administrators of those organizations that are underneath ?