This topic provides answers to some frequently asked questions about managing a resource directory.

What methods can be used to enable a resource directory? How do I choose a method?

When you enable a resource directory, the system checks whether the current logon account has passed enterprise real-name verification, whether the account has resources, and whether the account is configured with security information, such as a mobile phone number or an email address. If the account meets requirements, the system then recommends one of the following methods for you to enable a resource directory based on the check results:

  • Use the current account to enable a resource directory

    You can use this method if the current logon account has passed enterprise real-name verification, is configured with security information, and does not have resources.

  • Use a new account to enable a resource directory

    You can use this method if the current logon account has passed enterprise real-name verification but is not configured with security information or has resources.

    If you use this method, you must create an Alibaba Cloud account and use this account as the management account of the resource directory. The new account inherits the enterprise real-name verification information of the current logon account. You must use the password retrieval feature to specify a logon password for the new account. In addition, the current logon account becomes a member of the resource directory.

Why am I unable to enable a resource directory?

Possible causes:

  • The account you use has not completed enterprise real-name verification.
  • The account you use is already in a resource directory.

Which accounts cannot be used as the management account of a resource directory?

  • Account that has a pending invitation

    Solution: Process the invitation and then use the account to enable a resource directory.

  • Account whose resources have services or applications deployed

    Solution: A management account is used to perform high-permission operations for a resource directory, such as structure management and user permission management. Therefore, to ensure the security of a management account, we recommend that you create an Alibaba Cloud account and use this account as the management account.

What are the impacts of disabling a resource directory?

  • The organizational structure and policies created in this resource directory are cleared.
  • Data in trusted services that are activated are cleared. For example, if you create a multi-account trail in ActionTrail, the data of the multi-account trail in ActionTrail will be cleared after you disable your resource directory.
  • Features that depend on the resource directory in trusted services may be unavailable. For example, the multi-account permission management feature of CloudSSO is available only when the resource directory is enabled.

Why can many features that are provided by the Resource Directory service be used only by RAM users?

In the best practices of Alibaba Cloud, the principle of least privilege is implemented to ensure security. By default, the root user of the management account of a resource directory has the administrator permissions. If you perform operations by using the root user of the management account, high security risks are caused.

We recommend that you disable the root users of all cloud accounts in your resource directory and use RAM users to perform operations. You can grant permissions to RAM users based on your business requirements.

Only RAM users can be used to perform key operations in a resource directory because of the following reasons:

  • RAM users can be granted permissions based on business requirements, which conforms to the principle of least privilege.
  • Security risks caused by inappropriate use of management accounts can be prevented.
  • Security risks caused by the sharing of AccessKey pairs for your Alibaba Cloud account among multiple users can be prevented.
  • The operations performed by using RAM users can be recorded by the system, which facilitates auditing and tracking.