You can use the management account of your resource directory to specify a member account as the delegated administrator account of Cloud Config. Then, an employee can use the delegated administrator account to manage account groups, view resources of member accounts in account groups, manage compliance packages and rules in account groups, and deliver resource data.

Prerequisites

Background information

For more information about delegated administrator accounts, see What is a delegated administrator account?.

Scenarios

A delegated administrator account can be used to separate organizational management tasks from auditing tasks. This is essential for the cloud security management of your business.

By default, the management account of your resource directory serves as the super administrator of your enterprise. To achieve best practices for IT management, you can use the management account to focus on the organizational management of the resource directory instead of resource configuration management. This prevents accidental operations from being performed by an account that has excessive permissions. You can delegate a member account to perform global resource management operations on the resource directory for your business. For example, you can use the management account to specify a member account as the delegated administrator account of Cloud Config. Then, the audit department of your enterprise can own and use the delegated administrator account to evaluate resource compliance and deliver resource data.

Add a delegated administrator account

You can specify a member account in the resource directory as the delegated administrator account of Cloud Config to evaluate monitored resources. The management account shares permissions on Cloud Config with the delegated administrator account. An employee can use the delegated administrator account to manage account groups, view resources of member accounts in account groups, manage compliance packages and rules in account groups, and deliver resource data.

For more information about how to use the management account of your resource directory to add a delegated administrator account in the Resource Management console, see Add a delegated administrator account.
Note You can add only one delegated administrator account for Cloud Config.

Change the delegated administrator account

After you specify a member account as the delegated administrator account of Cloud Config, we recommend that you do not change this account. If you must change the specified account, you must first remove the original delegated administrator account. Then, you can specify a new delegated administrator account.

  1. Log on to the Resource Management console and remove the original delegated administrator account of Cloud Config by using the management account.
    For more information, see Remove a delegated administrator account.
    Note This operation only removes the permissions shared by the management account from the original delegated administrator account. The configurations of the original delegated administrator account are retained.
  2. In the Resource Management console, add a new delegated administrator account.
    For more information, see Add a delegated administrator account.
    Note The new delegated administrator account has all the permissions that the original delegated administrator account used to have.
  3. In the Cloud Config console, an employee can use the new delegated administrator account to manage account groups, view resources of member accounts in account groups, manage compliance packages and rules in account groups, and deliver resource data.