To help you improve enterprise information security and implement enterprise-level account management, Enterprise Distributed Application Service (EDAS) provides a built-in account management system. In addition, EDAS is connected to the account system of Resource Access Management (RAM). The built-in account system of EDAS is gradually migrated to the account system of RAM.
The account system includes Alibaba Cloud accounts, RAM users, sub-accounts, and roles. The sub-accounts are built in EDAS and are not recommended.
- Alibaba Cloud account
In EDAS, an Alibaba Cloud account owns all resources within the account and has full operation permissions on EDAS. The Alibaba Cloud account used to purchase the EDAS service is also the billing account.
In the EDAS console, choose Maximum Application Instances Allowed, Current Application Instances, and Product Series within the Alibaba Cloud account.in the left-side navigation pane to viewNote You can bind the existing billing account of EDAS to other Alibaba Cloud accounts for which EDAS is not activated. To unbind the existing billing account of EDAS from other Alibaba Cloud accounts, submit a ticket.
- RAM user
EDAS supports the account system of RAM. When you use EDAS, we recommend that you use the account system of RAM. The Alibaba Cloud account of EDAS can log on to the RAM console, create RAM users, and assign minimum permissions to RAM users as needed. This allows you to complete different types of jobs by using different user identities for efficient enterprise management.
In the EDAS console, choosein the left-side navigation pane to view the following information and complete the following operations:
- Log on to the console by using your Alibaba Cloud account. You can view all the RAM users within the Alibaba Cloud account.
- On the RAM User page, click Synchronize RAM User in the upper-right corner to synchronize RAM users.
- Sub-accounts that are configured with the built-in permissions of EDAS and are not migrated to RAM for authorization can manage roles and authorize applications and resource groups.
- You can migrate built-in sub-account permissions of EDAS to RAM. For more information, see Replace EDAS-defined permissions with RAM permission policies.
- Built-in EDAS sub-account (not recommended)
EDAS provides independent sub-accounts in its original account system. You can no longer create sub-accounts in EDAS. We recommend that you switch your existing sub-accounts to RAM. For more information, see Replace EDAS-defined permissions with RAM permission policies.Note Before you switch built-in EDAS sub-accounts to RAM, you can still manage their permissions. For more information, see .
A role is a virtual user who owns a series of specified permissions. A role does not have a specific AccessKey pair. A role can be used only after the role is assumed by a trusted entity.
In EDAS, you can create roles and can also use RAM roles.
A policy is a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.
Policies can be created only in RAM. The built-in permission control mode of EDAS can authorize only sub-accounts to manage applications or resource groups.
The following section describes three scenarios of the EDAS account system.
- Scenario 1
A company uses Account A to purchase the EDAS service. Account A is a billing account and also an Alibaba Cloud account. Two departments in the company need to use EDAS. Therefore, Sub-account or RAM User B and C can be created within Account A for the two departments and granted management permissions of EDAS. This way, the two departments can use EDAS by using Sub-account or RAM User B and C without purchasing this service again.
- Scenario 2
If Sub-account or RAM User B and C need to use the full features of EDAS, such as creating or running applications, Sub-account or RAM User B and C must be used to purchase resources such as Elastic Compute Service (ECS) instances. In this case, Account A that is an Alibaba Cloud account cannot be used to purchase the resources.
- Scenario 3
After resources are prepared, sub-accounts or RAM users are created for departments within three different Alibaba Cloud accounts to assign and manage permissions and resources.
- Account A grants all ECS resources and all permissions to Sub-account or RAM User a.
- Account B creates the application administrator and operations administrator roles and authorizes these roles to Sub-account or RAM User b1 and b2.
- Account C creates a role that has the permission to view applications, and authorizes the role to Sub-account or RAM User c.