diff --git a/CHANGELOG.md b/CHANGELOG.md
index c334995..6980d89 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,3 +7,5 @@
   - add ability to grab description, permissionset_name from settings
   - find permissionset if arn not found
 
+* 1.0.2 -- 2023-11-13
+  - allow users, account_ids to be null
diff --git a/common/version.tf b/common/version.tf
index 374ba43..02c6357 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.1"
+  _module_version = "1.0.2"
 }
diff --git a/group-assignment/main.tf b/group-assignment/main.tf
index febdf7a..9f147bf 100644
--- a/group-assignment/main.tf
+++ b/group-assignment/main.tf
@@ -27,7 +27,7 @@ resource "aws_identitystore_group_membership" "group" {
 }
 
 resource "aws_ssoadmin_account_assignment" "accounts" {
-  for_each     = toset(local.account_ids)
+  for_each     = var.account_ids != null ? toset(local.account_ids) : toset([])
   instance_arn = var.instance_arn
   #  permission_set_arn = var.permissionset_arn
   permission_set_arn = local.permissionset_arn
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
index 4da51d7..0d52177 100644
--- a/group-assignment/users.tf
+++ b/group-assignment/users.tf
@@ -5,7 +5,7 @@ locals {
 }
 
 data "ldap_object" "users" {
-  for_each = toset(local.users)
+  for_each = var.users != null ? toset(local.users) : toset([])
   provider = ldap
 
   base_dn           = local.user_base_dn