This topic provides the definition and limits of a delegated administrator account and describes how to manage a delegated administrator account.

What is a delegated administrator account?

The management account of a resource directory can be used to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access the information of the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. For more information, see Trusted services that support delegated administrator accounts.

Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements.

Limits

  • Only some trusted services support delegated administrator accounts. For more information, see Supported trusted services.
  • Only the management account of a resource directory or its RAM user or RAM role that has the permissions specified in the following code can be used to add or remove delegated administrator accounts:
    {
        "Version": "1",
        "Statement": [{
            "Action": [
                "resourcemanager:RegisterDelegatedAdministrator",
                "resourcemanager:DeregisterDelegatedAdministrator"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }]
    }

    For more information about how to create a custom policy, see Create a custom policy.

  • Delegated administrator accounts can only be the members of a resource directory. The management account of a resource directory cannot be specified as a delegated administrator account.
  • The number of delegated administrator accounts that are allowed for a trusted service is defined by the trusted service.

Add a delegated administrator account

  1. Log on to the Resource Management console by using the management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.
  3. On the Trusted Services page, find the trusted service for which you want to add a delegated administrator account, and click Manage in the Actions column.
  4. In the Delegated Administrator Accounts section of the page that appears, click Add.
  5. In the Add Delegated Administrator Account panel, select a member.
  6. Click OK.
    Then, you can use the delegated administrator account to access the multi-account management module of the trusted service and perform administrative operations within the resource directory.

Remove a delegated administrator account

Warning The removal of a delegated administrator account may affect the use of the related trusted service. Proceed with caution when you perform this operation.
  1. Log on to the Resource Management console by using the management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.
  3. On the Trusted Services page, find the trusted service for which you want to remove a delegated administrator account, and click Manage in the Actions column.
  4. In the Delegated Administrator Accounts section of the page that appears, find the delegated administrator account that you want to remove, and click Remove in the Actions column.
  5. In the Warning message, click Continue.
    Then, the account can no longer be used to access the information of the resource directory and view the structure and members of the resource directory in the trusted service.