You can use the management account of your resource directory to specify a member account as the delegated administrator account of Cloud Config. After the delegated administrator account is configured, the delegated administrator account is authorized to manage account groups, view the resources of member accounts in each account group, manage compliance packages and rules in each account group, and configure resource data delivery.
Prerequisites
A management account is used to log on to the Cloud Config console.
A resource directory is enabled. For more information, see Enable a resource directory.
Member accounts are created in your resource directory, or Alibaba Cloud accounts are invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
Background information
For information about delegated administrator accounts, see Manage a delegated administrator account.
Scenarios
A delegated administrator account can be used to separate organizational management tasks from auditing tasks. This is essential for the cloud security management of your business.
By default, the management account of your resource directory serves as the superuser of your enterprise. To achieve best practices for IT management, we recommend that you place the focus of the management account on the organizational management of the resource directory instead of resource configuration management. This prevents accidental operations from being performed by the management account that has excessive permissions. You can delegate a member account to perform global resource management operations on the resource directory for your business. For example, you can use the management account to specify a member account as the delegated administrator account of Cloud Config. Then, the audit department of your enterprise can own and use the delegated administrator account to evaluate resource compliance and deliver resource data.
Add a delegated administrator account
You can specify a member account in the resource directory as the delegated administrator account of Cloud Config to evaluate monitored resources. The management account shares permissions on Cloud Config with the delegated administrator account. An employee can use the delegated administrator account to manage account groups, view resources of member accounts in account groups, manage compliance packages and rules in account groups, and deliver resource data.
You can use the management account of your resource directory to add a delegated administrator account in the Resource Management console. For more information, see Add a delegated administrator account.
You can add only one delegated administrator account for Cloud Config.
Change the delegated administrator account
After you specify a member account as the delegated administrator account of Cloud Config, we recommend that you do not change this account. If you need to change the specified account, you must first remove the original delegated administrator account. Then, you can specify a new delegated administrator account.
Log on to the Resource Management console and remove the original delegated administrator account of Cloud Config by using the management account.
For more information, see Remove a delegated administrator account.
NoteThis operation only removes the permissions shared by the management account from the original delegated administrator account. The configurations of the original delegated administrator account are retained.
In the Resource Management console, specify a new delegated administrator account.
For more information, see Add a delegated administrator account.
NoteThe new delegated administrator account has all the permissions that the original delegated administrator account used to have.
In the Cloud Config console, an employee can use the new delegated administrator account to manage account groups, view resources of member accounts in account groups, manage compliance packages and rules in account groups, and deliver resource data.