Enterprise Distributed Application Service (EDAS) provides a comprehensive user management system that supports Alibaba Cloud accounts and Resource Access Management (RAM) users to help you achieve enterprise-level account management and improve enterprise information security. An Alibaba Cloud account can assign permissions and resources to multiple RAM users as needed in accordance with the minimum permission principle. This lowers the risks to enterprise information security and reduces the workload of the Alibaba Cloud account.
Before adopting Alibaba Cloud RAM, EDAS was developed with a strict primary and sub-account system to implement separation between users and permissions. Since its July 2016 upgrade, EDAS supports the RAM system.
The following figure shows the account system of EDAS.
The billing account is an Alibaba Cloud account used to buy the EDAS service. If multiple departments of an enterprise need to use EDAS, you can create a billing account to buy the EDAS service and then bind it with multiple Alibaba Cloud accounts to give other Alibaba Cloud accounts access to EDAS. This helps customers maximize their benefits.
Billing account and Alibaba Cloud account:
- All billing accounts are Alibaba Cloud accounts, but not all Alibaba Cloud accounts are billing accounts.
- Each Alibaba Cloud account is an independent account that owns all resources bought with the account and has full permissions on EDAS except that it cannot bind other Alibaba Cloud accounts.
- A billing account is an independent Alibaba Cloud account. The payment binding relationship between the billing account and other Alibaba Cloud accounts is only effective for the purpose of EDAS purchase. The billing account cannot be used to buy any other resources than EDAS on behalf of the bound Alibaba Cloud accounts. A bound Alibaba Cloud account must buy resources such as Elastic Compute Service (ECS) and Server Load Balancer (SLB) instances by itself even if it is bound to a billing account for EDAS purchase. For more information, see .
The following describes three scenarios of the EDAS account system.
A company uses Account A to buy EDAS. Account A is a billing account and also an Alibaba Cloud account. The company binds this billing account with other Alibaba Cloud accounts (Account B and Account C) of two departments. In this way, the departments can access EDAS without purchasing EDAS again, as shown in the following figure.
If Account B and Account C require the full functions of EDAS, for example, to create or run applications, the two accounts rather than Account A must be used to buy resources such as ECS instances, as shown in the following figure.
After resources are prepared, RAM users are created under the three Alibaba Cloud accounts and used to assign and manage permissions and resources. RAM user a is created under Account A and assigned all ECS resources and permissions. The application administrator and operation administrator roles are created under Account B and assigned to RAM user b1 and RAM user b2, respectively. A role for application query is created under Account C and assigned to RAM user c.