AWS provides Role. User can get authorities using Role.
Furthermore, User can get authorities over AWS Account if other account makes a Role that allow access.
Here, two account. A and B.
Admin A of Account A wants to give a Role to some users of Account B.
How does Admin A classify users of Account B?
AWS suggests the External Id for solving The Confused Deputy Problem.
However, External Id can not use at AWS Console. It just supports application’s request.
Refer to AWS Forum.

Here is my solution instead of the External Id.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:username": "FILTERED_USER_ID"
        }
      }
    }
  ]
}

Admin A should set the condition statement in AssumeRole policy.
As you know, Role requires two-way AssumeRole policy.
One is provider’s policy, the other is recipient’s policy.
I skip describe the recipient’s policy. You can find documents here AWS Document.
Provider’s policy is actually Trust Relationship that is second tab in details on the Role.
This policy has auto-generated when you create the Role.

Role provider can classify specific users using other condition statments also.
Refer to this policy simulator. PolicyGen