By default, ActionTrail records the events that were generated within your Alibaba Cloud account in the last 90 days. You can query these events in the ActionTrail console. To query the events that were generated more than 90 days ago, you must create a trail first to record these events. After an enterprise enables a resource directory, the enterprise can use the delegated administrator account or the management account to create one multi-account trail in the ActionTrail console. The multi-account trail can deliver the events of all members in the resource directory to a specified Object Storage Service (OSS) bucket or Log Service Logstore.
The following figure shows how a multi-account trail works with a resource directory.
Terms
| Term | Description |
|---|---|
| management account |
A management account is an account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the members in the resource directory. Only an Alibaba Cloud account that has passed the enterprise real-name verification can be used as a management account. Each resource directory has only one management account. |
| member |
A member serves as a container for resources and is also an organizational unit in a resource directory. A member indicates a project or an application. The resources of different members are isolated. You can use the management account of your resource directory to authorize RAM users, user groups, or roles to access the resources of members. You can also use the management account to create a member in the resource directory or invite an Alibaba Cloud account to join the resource directory as a member. |
| delegated administrator account | The management account of a resource directory can be used to specify a member in the resource directory as the delegated administrator account of ActionTrail for the resource directory. After a member is specified as the delegated administrator account of ActionTrail, the delegated administrator account can be used to access the information about the resource directory in ActionTrail. The information includes the structure and members of the resource directory. The delegated administrator account can also be used to manage business within the resource directory. |
| multi-account trail | A multi-account trail is a trail that is created to track and record the events of all members in a resource directory. A multi-account trail can be created by using a delegated administrator account or a management account. A multi-account trail can deliver the events of all members in a resource directory to the specified OSS bucket or Log Service Logstore. |
| single-account trail | A single-account trail is a trail that is created to track and record the events of the Alibaba Cloud account that is used to create the trail. |
Differences between multi-account and single-account trails
| Trail type | Created by | Scope of events | Event query method | Maximum number of trails allowed |
|---|---|---|---|---|
| Single-account trail | Alibaba Cloud account | Events of the current account |
|
Five in each region |
| Multi-account trail | Delegated administrator account or management account | Events of all members in the resource directory involved |
|
One for all regions |
Impacts brought by member changes in a resource directory
Take note of the following impacts that may be brought by member changes in a resource directory:
- After the management account is used to create a member in the resource directory or invite an Alibaba Cloud account to join the resource directory as a member., the new member can view the created multi-account trail in the trail list. The events of the new member are automatically delivered to the OSS bucket or Log Service Logstore specified for the multi-account trail.
- After a member is removed from the resource directory, the member cannot view the created multi-account trail. The events of the member are no longer delivered to the OSS bucket or Log Service Logstore specified for the multi-account trail. However, the events that have been delivered are not automatically deleted.
- Changes of the resource directory to which a member belongs do not affect the delivery of events.