All Products
Search
Document Center

Resource Management:FAQ about managing a member

Last Updated:Nov 14, 2023

This topic provides answers to some frequently asked questions about managing a member.

Basic operations performed by using a member

What are the differences among management accounts, members, resource accounts, cloud accounts, root users, and RAM users?

  • Management account

    A management account is an Alibaba Cloud account that has passed enterprise verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.

  • Member

    A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

    • Resource account

      A member that is created in a resource directory is a resource account. Resource accounts do not have root users and provide higher security. A root user of an Alibaba Cloud account is the administrator of the account. For more information about how to create a resource account, see Create a member.

    • Cloud account

      A member that is invited to join a resource directory is a cloud account. Cloud accounts have root users. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an Alibaba Cloud account to join a resource directory.

  • Root user

    A root user refers to an Alibaba Cloud account identity and has all administrative permissions on resources within the related Alibaba Cloud account. After you log on to the Alibaba Cloud Management Console by using the username and password of an Alibaba Cloud account, you have logged on to the console as the root user of the account.

    To ensure account security and avoid sharing the logon password or AccessKey pairs of the root user with other users, we recommend that you create a RAM user for the management account or each cloud account, grant the required permissions to the RAM user, and then use the RAM user to perform related operations.

  • RAM user

    A RAM user is a physical identity that has a fixed ID and credential information in RAM. A RAM user represents a person or an application. You can create RAM users within an Alibaba Cloud account and authorize the RAM users to access different resources.

How do I use a member to log on to the Alibaba Cloud Management Console?

Logon method

Description

Applicable member type

References

Use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console

The system automatically creates a RAM role named ResourceDirectoryAccountAccessRole for each member in a resource directory and specifies the management account of the resource directory as the trusted entity for the RAM role. This way, the management account has permissions to assume the RAM roles of all members in the resource directory and log on to the Alibaba Cloud Management Console. You can use the management account of a resource directory to create a RAM user and grant administrative permissions to the RAM user. Then, you can use the RAM user to assume the RAM role ResourceDirectoryAccountAccessRole of a member in the resource directory and log on to the Alibaba Cloud Management Console.

  • This logon method is suitable for members that are created in a resource directory. Members that are created in a resource directory are of the resource account type. They have usernames but do not have logon passwords.

  • This logon method is also suitable for Alibaba Cloud accounts that are invited to join a resource directory as members. These members are of the cloud account type.

Use a RAM role to log on to the Alibaba Cloud Management Console

Use a RAM user created for a member to log on to the Alibaba Cloud Management Console

After you use a RAM user of the management account of a resource directory to assume the RAM role of a member in the resource directory and log on to the Alibaba Cloud Management Console, you can create a RAM user for the member and grant the required permissions to the RAM user. Then, you can log on to the Alibaba Cloud Management Console as the RAM user created for the member.

Log on to the Alibaba Cloud Management Console as a RAM user

Use the root user of a member to log on to the Alibaba Cloud Management Console (not recommended)

If you want to use a member of the cloud account type in a resource directory to log on to the Alibaba Cloud Management Console, you can use the username and password of the root user of the member. However, for security purposes, we recommend that you do not use this method.

This logon method is suitable for Alibaba Cloud accounts that are invited to join a resource directory as members. These members are of the cloud account type.

Log on to the Alibaba Cloud Management Console as the root user of a member

Use a CloudSSO user to log on to the Alibaba Cloud Management Console

CloudSSO is integrated with Alibaba Cloud Resource Directory to help you manage identities and access permissions for multiple accounts in a centralized manner. After you activate CloudSSO and grant access permissions on a member in a resource directory to the CloudSSO user, the CloudSSO user can log on to the CloudSSO user portal and access resources of the member based on the related access configuration.

This logon method is suitable for CloudSSO users.

Use CloudSSO to manage the identities and permissions of multiple accounts of an enterprise in a centralized manner

How do I use the root user of a member to log on to the Alibaba Cloud Management Console?

Important

For security purposes, we recommend that you use a RAM user or RAM role instead of a root user to log on to the Alibaba Cloud Management Console.

The root user of a member refers to the Alibaba Cloud account identity of the member. The following descriptions provide details about the supported logon identities of different types of members:

  • Members of the cloud account type: This type of member is an Alibaba Cloud account that is invited to join a resource directory. You can directly use the username and password of such a member to log on to the Alibaba Cloud Management Console. For more information, see Log on to the Alibaba Cloud Management Console as the root user of a member.

  • Members of the resource account type: This type of member is directly created in a resource directory and does not have a root user. You can use only a RAM user or RAM role within the member to log on to the Alibaba Cloud Management Console. If you want to use a root user to log on to the Alibaba Cloud Management Console, you must switch the member from a resource account to a cloud account. To switch a member from a resource account to a cloud account, perform the following steps:

    1. Bind a mobile phone number to the member or change the email address of the member.

      For more information, see Bind a mobile phone number to a resource account or Change the account name (secure email address) of a member.

    2. Switch the member from a resource account to a cloud account.

      For more information, see Switch a resource account to a cloud account.

    3. Reset the password of the member.

      You can use the password retrieval feature to reset the password.

    4. Use the username and password of the member to log on to the Alibaba Cloud Management Console.

      For more information, see Log on to the Alibaba Cloud Management Console as the root user of a member.

    If the root user of the member is used, the security risks of the member increase. Keep the username and password of the root user secure. For security purposes, we recommend that you switch the member back to a resource account at the earliest opportunity if you no longer need to use the root user. For more information, see Switch a cloud account to a resource account.

How do I use a member to view information about the resource directory to which the member belongs?

  1. Log on to the Resource Management console as the member.

  2. In the left-side navigation pane, choose Resource Directory > Member Information.

  3. View the information about the resource directory to which the member belongs and the basic information about the member.

    • In the Resource Directory Information section of the Member Information page, view the information about the resource directory to which the member belongs.

      The information includes Resource Directory ID, Created At, Management Account, and Enterprise Name.

    • In the Member Information section of the Member Information page, view the basic information about the member.

      The information includes Location in Resource Directory, RDPath, Display Name, and Joined At.

Member deletion

How do I delete a member?

For more information, see Delete a member of the resource account type.

Why am I unable to delete a member?

  • You must use the root user of the management account of your resource directory or use a RAM user or RAM role to which the AliyunResourceDirectoryFullAccess policy is attached within the management account to enable the member deletion feature before you can delete members. For information about how to enable the member deletion feature, see Enable the member deletion feature.

  • You can use only a RAM user or RAM role to which the AliyunResourceDirectoryFullAccess policy is attached within the management account of your resource directory to delete members. You cannot use the root user of the management account to delete members. For more information, see Delete a member of the resource account type.

  • You can delete only members of the resource account type.

Which type of member can be deleted?

Only members of the resource account type can be deleted.

You can remove a member of the cloud account type from a resource directory but cannot delete it in the Resource Management console. After a member of the cloud account type is removed from a resource directory, the member becomes an independent Alibaba Cloud account. You can follow the related process to delete the account.

Can I recover a member after it is deleted?

After a member is deleted, the resources and data within the member are deleted, and you can no longer use the member to log on to the Alibaba Cloud Management Console. In addition, the member cannot be recovered. Proceed with caution.

What is the silence period for member deletion?

A member that has bills to be generated cannot be immediately deleted. Instead, after you trigger a deletion, the member enters a silence period, during which all bills for the member are generated. The following descriptions provide details:

  • The silence period is not fixed. It depends on the types of resources within the member and ranges from 2 days to 35 days.

  • During the silence period, you cannot purchase resources by using the member, perform operations on business data and resources within the member, or cancel the deletion of the member.

  • After the silence period ends, the system automatically starts to delete the member. You do not need to submit another deletion request.

The member that I want to delete has no resources. Why do I still need to wait for the silence period?

The member may have resources for which bills are not generated. You need to wait until all bills are generated. This indicates that the member can be deleted only after the silence period ends.

Do I need to submit another deletion request after the silence period ends?

No, you do not need to submit another deletion request. After the silence period ends, the system automatically starts to delete the member.

How do I view the end time of the silence period of a member?

  • You can log on to the Resource Management console, find the member, and then click Deletion Progress in the Actions column to view the end time of the silence period of the member.

  • You can call the GetAccountDeletionStatus operation. The value of the DeletionTime parameter in the response is the end time of the silence period.

What do I do if a member fails to be deleted after the silence period of the member ends?

If a member fails to be deleted after the silence period ends, you are notified of the failure by email. In this case, you need to submit another deletion request for the member.

How do I change the email address that is used to receive member deletion-related notifications?

By default, member deletion-related notifications are sent to the email address that is bound to the management account of a resource directory. To change the email address that is used to receive the notifications, log on to the Message Center console and click Modify in the Contact column that corresponds to Notifications of Product Release on the Common Settings page. In the dialog box that appears, specify a contact based on your business requirements.

Member invitation

In which scenarios does an account invitation become invalid?

An account invitation becomes invalid in the following scenarios:

  • The invitee does not confirm the invitation within 14 days after the invitation is initiated.

  • The inviter cancels the invitation.

Is the period of time in which an invitee must confirm an invitation limited?

Yes, the period of time in which an invitee must confirm an invitation is limited. An invitee must confirm an invitation within 14 days after the invitation is initiated. After the period elapses, the system changes the status of the invitation to Expired.

Can I delete invalid invitations?

The system automatically deletes invalid invitations 30 days after the invitations expire.

Why is an invitee unable to accept an invitation?

An invitee can accept an invitation and join a resource directory only if the invitee meets all the following conditions:

  • The invitee is not the management account or a member of a resource directory. An Alibaba Cloud account can join only one resource directory.

  • The invitee has passed enterprise verification. An Alibaba Cloud account that has not passed enterprise verification or has passed individual real-name verification cannot join a resource directory.

    An Alibaba Cloud account that has not passed enterprise verification or has passed individual real-name verification may be arbitrarily used to perform operations that are not protected by laws and have high risks. If such an account joins a resource directory, your assets on the cloud may be used for individual purposes. This may cause asset loss and security risks. Therefore, only enterprise accounts can be used to initiate invitations and accept invitations. This helps manage and control behavioral responsibilities and prevent security risks within a legal entity.

    If an invitee is unable to accept an invitation, use one of the following solutions:

    • If the invitee has not passed enterprise verification, complete enterprise verification for the invitee. For more information, see Enterprise verification.

    • If the invitee has passed individual real-name verification, upgrade the verification to enterprise verification.