Enterprise Distributed Application Service:Account system

In EDAS, an Alibaba Cloud account owns all resources within the account and has full operation permissions on EDAS. The Alibaba Cloud account used to purchase the EDAS service is also the billing account.

In the EDAS console, choose System Management > Alibaba Cloud Account in the left-side navigation pane to view the maximum number of application instances allowed, the number of existing application instances, and the edition of EDAS within the Alibaba Cloud account.

EDAS supports the account system of RAM. When you use EDAS, we recommend that you use the account system of RAM. You can use the Alibaba Cloud account that is used to purchase the EDAS service to log on to the RAM console, create RAM users, and then grant minimum permissions to the RAM users as needed. This allows you to complete different types of jobs by using different user identities for efficient enterprise management.

In the EDAS console, choose System Management > RAM User in the left-side navigation pane to view the following information and perform the following operations:

• Log on to the EDAS console by using your Alibaba Cloud account. You can view all the RAM users within the Alibaba Cloud account.
• On the RAM User page, click Synchronize RAM User in the upper-right corner to synchronize RAM users.
• Sub-accounts that are configured with EDAS-defined permissions and are not switched to RAM users can be used to manage roles and manage applications and resource groups.
• You can switch built-in EDAS sub-accounts to RAM users. For more information, see Replace EDAS-defined permissions with RAM policies.

EDAS provides independent sub-accounts in its original account system. You can no longer create sub-accounts in EDAS. We recommend that you switch your existing sub-accounts to RAM users. For more information, see Replace EDAS-defined permissions with RAM policies.

A role is a virtual user who owns a series of specified permissions. A role does not have a specific AccessKey pair. A role can be used only after the role is assumed by a trusted entity.

In EDAS, you can create roles and can also use RAM roles.

A policy is a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.

Policies can be created only in RAM. The built-in permission control mode of EDAS can authorize only sub-accounts to manage applications or resource groups.

A company uses Account A to purchase the EDAS service. Account A is a billing account and also an Alibaba Cloud account. Two departments in the company need to use EDAS. Therefore, Sub-accounts or RAM users B and C can be created within Account A for the two departments and granted the management permissions of EDAS. This way, the two departments can use EDAS by using Sub-accounts or RAM users B and C without purchasing this service again.

If Sub-accounts or RAM users B and C need to use the full features of EDAS, such as creating or running applications, Sub-accounts or RAM users B and C must be used to purchase resources such as Elastic Compute Service (ECS) instances. In this case, Account A that is an Alibaba Cloud account cannot be used to purchase the resources.

After resources are prepared, sub-accounts or RAM users are created for departments within three different Alibaba Cloud accounts to grant and manage permissions and resources.

• Account A grants all ECS resources and all permissions to Sub-account or RAM user a.
• Account B creates the application administrator and operations administrator roles and assigns the two roles to Sub-accounts or RAM users b1 and b2.
• Account C creates a role that has the permissions to view applications, and assigns the role to Sub-account or RAM user c.