In definition SCP never grants permission. However, when I checked the SCP vs. IAM policy I discovered that SCP can also can be used to allow access to AWS resource (whitelist). Can I get a clarification on this please?
The SCP is allowing access to the services and actions that are ALREADY allowed. Such as you can have an account with full access to all services, then apply an SCP that restricts by Whitelisting only a select group of services. So, in essence, the SCP is "removing" access to any service not explicitly listed in the SCP. Maybe this link will help – https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations-to-enforce-healthcare-compliance-in-your-aws-account/