All Products
Search

This Product

    Cloud Governance Center:Configure identities and permissions

    Document Center

    Cloud Governance Center:Configure identities and permissions

    Last Updated:Jun 24, 2026

    Plan your identity and permission management strategy before migrating to the cloud to reduce security risks and simplify multi-account operations. Agentic Cloud Governance Center provides a guided wizard to configure identities and permissions across member accounts in your resource directory, along with predefined access configuration templates and governance baselines based on best practices.

    Background information

    CloudSSO integrates with Alibaba Cloud Resource Directory for centralized multi-account identity management and access control. Configure once to manage identities and permissions across multiple accounts. We recommend CloudSSO for identity and permission management. For more information, see What is CloudSSO?

    Initialize identities and permissions

    1. Log on to the Agentic Cloud Governance Center console.

    2. In the left-side navigation pane, choose Landing Zone > LandingZone Setup.

    3. In the Standard Blueprint or Standard Blueprint (CEN) section, click Build.

      This example uses a standard blueprint.

    4. In the Added Items section of the Configure Blueprint page, click CloudSSO.

      Note

      If the item is not in the Added Items section, click Add Item, select it, and click Add.

    5. Configure CloudSSO parameters.

      1. In the Basic Information section, configure the following parameters:

        • Region

          Select a region close to your business data for data security. For more information, see Create a CloudSSO directory.

        • Catalog Name

          Must be globally unique. Prefix with your enterprise name to avoid conflicts.

        • Logon Timeout

          Maximum duration a CloudSSO user can access an account through access configurations. Valid values: 3600–43200 seconds (1–12 hours). Default: 3600 (1 hour).

      2. In the Access Configuration Template section, view the predefined access configuration template.

        Agentic Cloud Governance Center provides the following predefined access configurations based on best practices. These are automatically provisioned in CloudSSO and can be bound to specified accounts.

        Access configuration

        Permission

        Administrator

        Full permissions on all Alibaba Cloud resources.

        Iam

        Manages identities and permissions for all enterprise accounts with console access.

        Billing

        Financial management: bills, account balances, invoices, and contracts.

        AuditAdministrator

        Full permissions on Cloud Config, ActionTrail, and Log Service. Read-only access to all resource statuses.

        LogAdministrator

        Manages logs.

        LogAudit

        Read-only access to logs.

        NetworkAdministrator

        Manages network services and security groups.

        SecurityAudit

        Read-only access to security service data. Cannot modify security configurations.

        SecurityAdministrator

        Full permissions on all security services.

        For more information about access configurations, see Access configuration overview.

    Manage identities and permissions

    After initialization, view or modify your CloudSSO configuration.

    1. Log on to the Agentic Cloud Governance Center console.

    2. In the left-side navigation pane, choose Multi-account Management > Identities and Permissions.

    3. On the Access Configuration Template tab, view access configuration details.

    4. On the IdP Information tab, download the IdP metadata file or modify IdP settings.