Community Blog Decathlon: Sports IP Migrates to the Cloud, Starting from Managing an "ID Card" for Business

Decathlon: Sports IP Migrates to the Cloud, Starting from Managing an "ID Card" for Business

This article discusses a brief history of Decathlon (sporting goods retailer) and how the company works with Alibaba Cloud.


By Decathlon China + IaaS Infrastructure Team


Decathlon Group was founded in France in 1976. At the beginning of its establishment, the founder, Mr. Michel Lerclercq, hoped to realize the goal of purchasing all kinds of sporting goods in one shopping mall over the next few decades. Unexpectedly, it took more than ten years to achieve the goal. Today, Decathlon's retailing business has entered more than 60 countries and regions worldwide, meeting the needs of beginners and masters. The group is committed to the field of mass sports, integrating research and development, design, branding, production, logistics, and omni-channel retail. Currently, there are more than 1,600 stores worldwide, serving customers across five continents, with more than 90,000 employees. As of the end of December 2021, Decathlon has had nearly 300 stores in malls in over 100 cities across China. At the same time, its e-commerce business has served more than 400 cities since 2009.

As the world's largest comprehensive sporting goods maker, Decathlon has been in China for nearly 20 years. Now, China has become a key market for Decathlon to achieve a complete entire industry chain layout. Decathlon also hopes that China (as the innovation center for digital transformation of the group) plays an important role in the high-level global open-up and cooperation. Therefore, Decathlon will preferentially promote collaborative projects with global influence and leadership in China. At the beginning of 2021, Decathlon CTO Chen Yinghong and Alibaba Cloud signed a cooperation agreement for the Chinese market. Relying on the strong cooperation in the industrial ecosystems of both sides, with leading cloud and data solutions provided by Alibaba Cloud, Decathlon facilitates its construction of new sports retail and accelerates its digital transformation and innovative development of new retail in China.

“The soul of digitalization is technology, and the vision of the digital team is to make Decathlon develop fast in the digital arena,” said Chen Yinghong, CTO of Decathlon. “…Choosing Alibaba Cloud as a new technology partner is of great significance to Decathlon. This is the first time the group cooperates with a cloud enterprise in China, and it is also the first time that cloud services have been localized in the world. Decathlon China is the first company in the industry to enter the all-cloud era. It will support the high-speed update and iteration of intelligent development of the entire industrial chain of Decathlon to achieve its localization transformation. The two sides will focus on logistics and the e-commerce ecosystem and highly integrate resources first. Decathlon combines its globalized experience in the whole industry chain with the local economic and technological insights of Alibaba Cloud to empower a new retail experience with technology and bring leading digital solutions to mass users in the new consumption era.”

Design of Landing Zone Management Framework

The IaaS Infrastructure Team of Decathlon China is mainly responsible for the infrastructure design, deployment, and maintenance of its applications in China on the cloud and provides all of its departments with cloud infrastructure that meets internal security compliance standards of Decathlon. At the beginning of 2021, Liao Junwen, Head of the IaaS Team, led the team to start the design and deployment of Landing Zone on Alibaba Cloud to fulfill the needs of Decathlon. The Alibaba Cloud Landing Zone cloud management framework provides enterprises with cloud IT top-level implementation solutions for architecture design and governance, including identity management, resource management, network planning, financial management, compliance audit, and security protection. The framework helps enterprises rationally plan and govern the IT environment on the cloud to achieve efficient collaboration, security compliance, and cost control. Landing Zone uses the best practices in the industry to create a configurable, scalable, secure, and compliant multi-account environment for enterprises. It is the starting point of the cloud migration for applications, better meeting the needs of rapid business development.

Based on the best practices of Alibaba Cloud, Decathlon immediately completed cloud management and overall architecture planning for the following core sectors and reused its rich multi-cloud governance experience on Alibaba Cloud to satisfy management requirements for security compliance, manageability, and scalability:

  • Resource Management: A project-based independent environment is required to clearly control and authorize each application project. A centralized environment is also required to place the basic services provided by the IaaS Team. In addition, projects managed by suppliers can be isolated using internal networks.
  • Identity Security: It is necessary to ensure all users can use Decathlon employee IDs for single sign-on (SSO) and multi-factor authentication (MFA).
  • Autonomous Management: It is hoped that when enterprise security is guaranteed, the authentication traffic will only be directed to the identity system (IdP) provided by Decathlon headquarters, but authorization management can be controlled within the local team.
  • O&M Efficiency: A multi-account system is not expected to cause a lot of repetitive work, and Decathlon hopes to boast the feature of authorizing multiple accounts for users with similar scenarios.
  • Cost: It is not expected that the managed architecture will incur high costs.

Planning, Design, and Challenges of Identity Permission System

With the further deepening of enterprises' cloud migration, the number of cloud resources purchased by enterprises has increased rapidly. Thus, the management of resources, projects, personnel, and permissions have been more complex. In the planning and design of the identity permission system, the multi-account cloud migration mode has gradually become an important option for multi-business cloud migration. Meanwhile, the orderly management and organization of multiple accounts and the way to view the overall situation and realize comprehensive management and control are all issues affecting enterprise management and business efficiency. Using strong logical isolation of multiple accounts can realize the independence of different business applications of enterprises, which will avoid problems caused by using an ingle account, including dependency conflicts, resource mixing, and mutual influence of O&M operations between different businesses. Multiple accounts can spread risks, improve resource security boundaries, and prevent all businesses from being affected by one hidden management risk. Also, it is convenient for enterprises to follow different resource accounts to achieve clear financial separate billing. In addition, it is conducive to coping with the multi-branch relationship of large enterprises, fulfilling structured management demands for the coexistence of multiple legal entities and multiple settlement models.

In terms of resource management, Decathlon follows best practices of multi-account management and uses Alibaba Cloud Resource Directory (RD) products as the basis of a multi-account hierarchical management structure. Decathlon creates independent cloud accounts and organizes these cloud accounts in a tree structure for each project, effectively meeting demands for unified resource management. However, when designing the identity permission management architecture, it was found that Alibaba Cloud did not have a product that perfectly met the requirements. Therefore, the two sides negotiated and decided to focus on results, and Decathlon first adopted the RAM role SSO as a temporary solution. Here is the specific operation. Decathlon creates a SAML identity provider and performs role SSO configuration after opening each new account. Whenever a user needs to be authorized, Decathlon enters the corresponding account, creates a new RAM role, or reuses an existing RAM role, and grants the RAM policy to complete the entire configuration.

However, the difficulty of this temporary solution is that the operating scope of RAM role SSO is cloud accounts, so the SAML identity provider and RAM roles have to be repeatedly created in each cloud account. Moreover, the Cloud Management Team and project users have much similar permission, but permission must be created separately in each account and granted RAM roles, which further increases the management cost. In addition, the cloud management team must carefully control and eliminate privileged roles to keep the preset role permission from being compromised. Once the control is inappropriate, it will cause potential security vulnerabilities. Finally, since permission is scattered among accounts, a global authorization view is not available. Decathlon can only rely on some additional tools to record each authorization behavior, which is very unfavorable to use this temporary solution in scenarios (such as troubleshooting and compliance auditing).

Implementation of Multi-Account Identity Permission Management Mode

Decathlon has a clear goal in the implementation of the project. Yao Yi and Feng Tianran, the project leaders, hope the problems above caused by the temporary solution can be solved through the unified identity permission management products based on the RD. This requirement coincides with the product planning and development path of Alibaba Cloud. In August 2021, Alibaba Cloud launched Cloud SSO to fit the best practice demands of Decathlon for identity permission management on the cloud.

Cloud SSO is a product of multi-account unified identity management and access control based on Alibaba Cloud RD. When an enterprise has multiple accounts of Alibaba Cloud, the enterprise can use Cloud SSO to manage users that have access to Alibaba Cloud resources. The enterprise can only configure settings once to implement SSO access to Alibaba Cloud resources from an identity provider (IdP) and assign access permissions in the resource directory to the users in a centralized manner.

It only takes a few simple steps to complete the basic configuration of Cloud SSO, and it only takes half an hour for experienced technical experts. After the configuration is completed, Cloud SSO creates a corresponding RAM role in each RD account and completes authorization. Users only need to log on to the Cloud SSO user portal to view all the accounts they can access, and they can directly enter the Alibaba Cloud management console with one click.

Configuration Management Process for Cloud SSO

According to the reality of Decathlon, Cloud SSO implements the following control capabilities for the enterprise:

SSO Using Decathlon Enterprise IdP

In terms of SSO, Decathlon uses Cloud SSO to set SAML configurations connected to the headquarter IdP, thus meeting its global specifications that all employees log on using its enterprise IdP. Since this configuration only needs to be performed once, and it is not necessary to configure each RD account separately, the communication efficiency between you and the headquarters can be improved significantly.

Project-Based Permission Separation

A project is the foundational unit for all of the business of Decathlon on the cloud. Member accounts are divided based on projects in RD. Permission separation control is also based on projects in Cloud SSO. First, the user group is used to manage the personnel using Alibaba Cloud. On the IaaS Infrastructure Team, Security Team, and other management teams, staff are assigned to different user groups based on team features. These user groups start with hosting in their names and are referred to as administrator groups. For each project, based on the specific roles of its members, multiple user groups are created according to the dimensions of the project and roles, and project members are added to different user groups. These groups start with project names in their names and are referred to as project user groups.

Next, the Decathlon Project Team creates access configurations in Cloud SSO to correspond to permission collection that different user groups should have. The access configuration created for an Administrator group, whose name is consistent with the user group name, is broadly divided into the following categories:

  • ram-admin: It has the ability to authorize, so it is equivalent to a super administrator.
  • admin: It has permission to manage all resources on the cloud but does not have the ability to authorize.
  • paasadmin: It has the permission of PaaS-level services on the cloud, such as RDS, Redis, ELK, and KFK.
  • readonly: It has read-only permission for cloud resources but no write permission.
  • custom: Custom permission according to other special requirements

Finally, the Decathlon Project Team grants the corresponding permission to all accounts of the administrator group in the RD structure, while the project user group is only granted the corresponding permission to the accounts used in the project so users can access accounts according to their appropriate permission. These configurations are one-time. Therefore, if a user needs ample permission, the administrator only needs to add the user to the corresponding user group.


Automated Practices for New Project and Permission Changes

Decathlon plans to create a Terraform module based on the Terraform rules of Cloud SSO to automate the management of all identity permission. Whenever a new project is established, the project administrator executes the Terraform script to complete user group management, creation of access configuration, and permission configuration of target RD member accounts. If there are personnel changes or permission changes in an existing project, the configuration update will also be completed through internal workflows.

A Part of the Code


Currently, the Decathlon China IaaS Team manages nearly 100 projects and about 1,000 cross-departmental technical support personnel and suppliers' unified identity integration and permission control of Alibaba Cloud. It achieves high configuration efficiency and realizes a complete management mechanism while ensuring that all users perform SSO through the enterprise IdP. In the future, Decathlon plans to use Cloud SSO to implement more flexible and efficient management such as automatic user synchronization and hierarchical permission management. At the same time, it plans to use more IT governance products integrated with RD (such as Cloud Firewall and CloudMonitor) to enhance the overall IT management and governance of Decathlon China on the cloud.

Decathlon and Alibaba Cloud cooperate in the design of cloud management and governance architecture of Landing Zone and the multi-account identity permission system of Decathlon thanks to the launch of the new Cloud SSO product. During the cooperation and implementation, the professional services provided by the Alibaba Cloud Product Technical Team are reflected in the design of the cloud architecture scheme, in the selection suggestions of technical products, and the promotion of new product features. All of those professional services have given the Decathlon China IaaS Infrastructure Team valuable advice, help, and efficient demand response, which all reflect Alibaba Cloud's principle of customer first. The two sides will continue to cooperate in cloud computing, the Internet, artificial intelligence, and enterprise services, facilitating the layout of the sports ecosystem of Decathlon in China and its digital transformation of intelligent business.

0 0 0
Share on

Alibaba Cloud Community

860 posts | 196 followers

You may also like