For enterprise customers, a simple cloud account is really hard to support complex structure of organization. Strict isolation policy between projects or departments means that multiple cloud accounts within the same enterprise account is required. Enterprise services of Alibaba Cloud Resource Directory
in Resource Management
can support a root enterprise account with sub accounts according to organization hierarchy or projects. With Resource Directory
customers can manage member account manually, however this way is not efficient and difficult to maintain. A centralized tool which can manage access permission of enterprise users to sub cloud accounts is required. Additionally SSO login with enterprise identity provider should be supported by the tool.
CloudSSO
is integrated with Alibaba Cloud Resource Directory
to provide centralized multi-account identity management and access control. You can use CloudSSO
to manage enterprise users who need to access Alibaba Cloud resources and assign access permissions on the accounts in a resource directory to the users in a centralized manner. You can also configure settings only once to implement single sign-on (SSO) access to Alibaba Cloud resources from an identity provider (IdP).
Refer to CloudSSO.
Resource Management allows you to build an organizational structure for resources based on your business requirements. You can use resource directories, resource groups, or tags to hierarchically organize and manage your cloud resources.
Refer to Resource Directory.
Alibaba Cloud Resource Management
supports terraform, please visit
Resource Management with Terraform
Alibaba Cloud Resource Access Management(RAM)
is an identity and access control service which enables you to centrally manage your users (including employees,
systems or applications) and securely control their access to your resources through permission levels. RAM thereby allows you to securely grant access permissions for Alibaba Cloud resources to only your selected high-privileged users, enterprise personnel and partners. This helps to ensure secure and appropriate usage of your cloud resources and protects from any unsolicited access to your account.
Refer to Resource Access Management.
RAM
supports SAML 2.0-based single sign-on (SSO), which is known as identity federation.
RAM
andRAM SSO
is used within one Alibaba Cloud account.
RAM
and CloudSSO
Comparison | RAM | CloudSSO |
---|---|---|
Account type | one account | multi accounts |
Management target | resources | accounts |
CloudSSO
is integrated with Resource Directory and allows you to manage identities and permissions for multiple Alibaba Cloud accounts in a centralized manner.Resource Access Management (RAM)
allows you to manage identities and permissions within one Alibaba Cloud account.CloudSSO
to manage identities and permissions for the accounts in your resource directory in a centralized manner, you do not need to use RAM to manage permissions within one Alibaba Cloud account.Refer to Relationship between CloudSSO and RAM.
Management groups
are a tool to help you structure your cloud environments for organization and governance at scale.Subscriptions
are a unit of management, billing, and scale within Azure.When you migrate accounts from Azure. Alibaba Member
accounts can be treated as Azure Subscription
which is the basic unit of management, all cloud resources are directly managed by Member
accounts.
Alibaba Folder
can be treated as Azure Management Group
which is designed for organization and governance.
When you migrate accounts from AWS. Alibaba Member
accounts can be treated as AWS Member Account
. Alibaba Folder
can be treated as Azure Organization Unit
.
As above chart, you have several different ways to access Alibaba Cloud portal.
RAM
users for managing Folders
and Members
.Folders
and Members
.CloudSSO
users for managing resources on cloud.CloudSSO
users for managing resources on cloud.As above chart, following components will be created or setup.
CloudSSO
for enterprise users logon.IdP
for logon.AdministratorAccess
for users in group alibabassoadmin
)Enterprise Account
is required for CloudSSO
and Resource Directory
.Open CloudSSO
portal in Alibaba Cloud. According to your user location, you can create a CloudSSO
service near to users. For this demo, Shanghai endpoint will be used. You can get the enterprise entry from User Logon URL
, this url will be used for Alibaba Cloud logon.
CloudSSO
logon url is different with normal logon andRAM
logon.
In Settings
, you can download a meta file about CloudSSO SP. This file can be used in IdP vendor to save time for setting client.
You can download IdP meta file and then upload to CloudSSO
. CloudSSO
can retrieve required information and update config. You can also modify config manually.
Please follow CloudSSO logon from Azure AD to complete Azure IdP setup. Finally, you can download Federation Metadata XML
and use it for setting in Step 2
.
For access management of CloudSSO
enterprise users, you need to define templates Access Configuration
in Access Management
.
Once Access Configuration
template is defined, you can bind it with groups.
Group based mapping
You can also manually bind Access Configuration
template with given users.
Assignment
System for Cross-domain Identity Management (SCIM)
is a standard for automating the exchange of user identity information between identity domains, or IT systems.
Refer to SCIM
CloudSSO need to sync users before login. You can setup it in SCIM
configuration.
Once successful login, you can choose a member account to do further operation on cloud resources, e.g. ECS creation.
In the Resource Directory
page, administrators of root account can check overall Folders
structure.
In the Resource Member
page, administrators of root account can view all Members
accounts.
In the Policy
page, administrators of root account can view all Policy
which can be assigned to users or groups.
Using Global Accelerator to speed up internet services worldwide
Alibaba Cloud Community - August 12, 2024
PM - C2C_Yuan - May 29, 2024
Hernan Pardo - March 31, 2020
Alibaba Cloud Project Hub - January 19, 2021
Alibaba Clouder - June 15, 2018
Alibaba Clouder - March 21, 2019
Accelerate software development and delivery by integrating DevOps with the cloud
Learn MoreAn enterprise-level continuous delivery tool.
Learn MoreMore Posts by Cheng