This topic provides the definition and limits of a delegated administrator account and describes how to manage a delegated administrator account.

What is a delegated administrator account?

The enterprise management account of a resource directory can be used to specify a member account in the resource directory as a delegated administrator account of a trusted service. After a member account is specified as a delegated administrator account of a trusted service, the member account can be used to access the information of the resource directory and view the structure and member accounts of the resource directory in the trusted service. The member account can also be used to manage business within the resource directory. For more information, see Trusted services that support delegated administrator accounts.

Delegated administrator accounts enable you to separate organization management tasks from business management tasks. The enterprise management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements.

Limits

  • Only some trusted services support delegated administrator accounts. For more information, see Supported trusted services.
  • Only the enterprise management account of a resource directory or its RAM user or role that has the permissions specified in the following code can be used to add or remove delegated administrator accounts:
    {
        "Version": "1",
        "Statement": [{
            "Action": [
                "resourcemanager:RegisterDelegatedAdministrator",
                "resourcemanager:DeregisterDelegatedAdministrator"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }]
    }

    For more information about how to create a custom policy, see Create a custom policy.

  • Delegated administrator accounts can be only the member accounts of a resource directory. The enterprise management account of a resource directory cannot be specified as a delegated administrator account.
  • The number of delegated administrator accounts that are allowed for a trusted service is defined by the trusted service.

Add a delegated administrator account

  1. Log on to the Resource Management console by using the enterprise management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.
  3. On the Trusted Services page, find the trusted service for which you want to add a delegated administrator account, and click Modify Delegated Administrator Account in the Actions column.
  4. Click Add Delegated Administrator Account.
  5. In the Add Delegated Administrator Account panel, select a member account.
  6. Click OK.
    Then, you can use the delegated administrator account to access the multi-account management module of the trusted service and perform administrative operations within the resource directory.

Remove a delegated administrator account

Notice The removal may affect the use of the related trusted service. Therefore, exercise with caution.
  1. Log on to the Resource Management console by using the enterprise management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.
  3. On the Trusted Services page, find the trusted service for which you want to remove a delegated administrator account, and click Modify Delegated Administrator Account in the Actions column.
  4. On the page that appears, find the delegated administrator account that you want to remove, and click Remove in the Actions column.
  5. In the Warning message, click Continue.
    Then, the account cannot be used to access the information of the resource directory and view the structure and member accounts of the resource directory in the trusted service.