Enterprises on Alibaba Cloud typically use multiple accounts to isolate business resources. The cross-account management feature of BDRC allows you to centrally manage the data protection of resources across multiple accounts within your enterprise. This unified approach reduces operational costs and improves disaster recovery consistency and compliance.
How it works
BDRC cross-account management is built on Resource Directory. Resource Directory is a foundational service that allows large enterprises to build multi-account organizational structures and centrally manage resources on Alibaba Cloud. As a trusted service of Resource Directory, BDRC leverages its organizational structure and authorization mechanisms to centrally manage data protection for resources in member accounts within the organization.
When a delegated administrator account (a member account authorized by the management account to perform administrative tasks in BDRC) enables cross-account management and adds member accounts, BDRC creates the AliyunServiceRoleForBdrcRd service-linked role to access resources in the member accounts. The delegated administrator account can then switch to a member account's perspective in the BDRC console to view its data protection score and resource information, and configure unified protection policies.
The following table describes the operations that are allowed for the delegated administrator account and member accounts in a cross-account scenario.
Member account resources | Delegated administrator actions | Member account actions |
ECS, OSS, NAS, and Tablestore |
|
|
OSS and Tablestore |
|
|
Enable cross-account management
Prerequisites
Enable Resource Directory and create member accounts or invite existing Alibaba Cloud accounts to join your resource directory. For more information, see Create a member or Invite an Alibaba Cloud account to join a resource directory.
Step 1: Set a BDRC delegated administrator
Log on to the Resource Management console using your management account.
In the left-side navigation pane, choose .
Search for BDRC and click Manage in the Actions column.
In the Delegated Administrator Account section, click Add, select the target member account, and then click OK.
Designating an account as a delegated administrator grants it permission to access information about the Resource Directory organization and its members, and to perform management operations from the BDRC console.
Step 2: Enable cross-account management
Log on to the BDRC console using the delegated administrator account.
In the left-side navigation pane, choose Cross-account Management and follow the on-screen instructions to enable the feature.
If the prerequisite check fails, follow the on-screen instructions to complete the prerequisite tasks and set the delegated administrator.
Step 3: Add member accounts
In the left-side navigation pane, choose Cross-account Management and then click Account Management.
On the Cross-account Management Configuration page, select the member accounts, the folders that contain the member accounts, or the entire resource directory that you want to manage, and then click OK.
NoteWhen you manage a folder or resource directory, new member accounts are automatically added to management. Conversely, accounts removed from the folder or directory are also removed from management, and their related data is cleared.
After the accounts are added, they appear in the cross-account management list.
Step 4: View member resources
After completing these configurations, you can use the delegated administrator account to view and manage the data protection information of member accounts in the BDRC console. You can switch between the added member accounts. The following table describes account switching support for each page.
Page | Account switching support |
Overview | You can select multiple accounts for an aggregated view or switch to a single account. |
You can switch to a single account. | |
Resource Center (ECS, OSS, NAS, and Tablestore) | You can select multiple accounts for an aggregated view or switch to a single account. |
Risk Detection | You can select multiple accounts for an aggregated view or switch to a single account. |
After you switch accounts on a page, the change persists on other pages that support account switching. If you switch from a page that supports a multi-account view to one that supports only a single-account view, the console displays the view for the first selected account.
View cross-account scores
View the data protection dashboard
On the Overview page, the delegated administrator account can select one or more member accounts to view, either individually or in an aggregated format.
By default, the dashboard displays the score data for the current account.
You can manually select multiple accounts to view their aggregated data.
The resource group filter shows only the resource groups of the current account. For example, if you select both Account A and Account B and filter by the 'important' resource group (which is associated only with resources in Account A), the dashboard displays the score for resources in Account A that belong to the 'important' resource group.
Download a data protection report
You can filter by account and resource group, and then click Preview and Download Report to download a report on the data protection status.
Configure cross-account protection policies
Configure cross-account resource groups
The resource group management feature lets you group resources from multiple member accounts by using tags, which enables unified management.
Log on to the BDRC console using the delegated administrator account.
In the left-side navigation pane, choose .
Click Create Resource Group and follow the on-screen instructions to create a resource group.
NoteThe tags associated with the resource group are matched against resources in all managed accounts. After you select the tags, you can click Detect Resources to view the number of affected accounts and resources.
Configure cross-account protection policies
A delegated administrator account can configure a unified protection policy and apply it to multiple member accounts.
Log on to the BDRC console using the delegated administrator account.
In the left-side navigation pane, choose Protection Policy Center and follow the on-screen instructions to create a protection policy.
Sub-policies created under a protection policy belong to the delegated administrator account, not the member accounts, and are not associated with their existing Cloud Backup policies. These policies are applied across accounts via resource groups, eliminating the need for individual configuration in each member account.
Disable cross-account management
Step 1: Remove an account
Log on to the BDRC console using the delegated administrator account.
In the left-side navigation pane, choose Cross-account Management.
In the member account list, find the target member account, click Remove from Management in the Actions column, and then click OK.
Member accounts that are automatically managed through a folder cannot be removed individually. You must go to the Account Management page and remove the management configuration for the folder. After you do this, all member accounts in that folder are removed from management.
When you remove a member account from management, any protection policies and resource groups associated with its resources no longer apply. The account's resources are also removed from all related sub-policies.
Step 2: (Optional) Remove the delegated administrator
To revoke the management permissions of a delegated administrator account, perform the following steps:
Before you remove a delegated administrator account, ensure that it is not managing any member accounts. You cannot remove a delegated administrator account that is still managing other accounts.
Log on to the Resource Management console using your management account.
In the left-side navigation pane, choose .
Search for BDRC and click Manage in the Actions column.
In the Delegated Administrator Account section, find the target delegated administrator account, click Remove in the Actions column, and then click OK.
Quotas and limitations
Enabling cross-account management does not restrict member accounts from using BDRC. The configurations in a member account are independent of the delegated administrator account. Resources such as resource groups, protection policies, and messages are not shared.
Billing
The BDRC cross-account management feature itself is free of charge. However, you are billed for any services you use to improve your data protection score or fix risks, such as cloud disk snapshots and Cloud Backup, according to their respective pricing. For more information, see Product pricing.