Cloud Firewall allows you to manage multiple Alibaba Cloud accounts in a resource directory based on the trusted services of Alibaba Cloud Resource Directory. Each Alibaba Cloud account is a member. You can specify a member as a delegated administrator account to access the resources of all members in the resource directory. This way, you can manage the resources in a centralized manner.

Prerequisites

Cloud Firewall Ultimate Edition is purchased. Other editions of Cloud Firewall do not support centralized account management.

Limits

  • By default, centralized account management allows you to add one member. If you want to add more than one member, upgrade the Managed Alibaba Cloud Member Accounts specification of your Cloud Firewall based on your business requirements. For more information, see Upgrade Cloud Firewall and change configurations.
  • Centralized account management allows you to manage only the following resources of members: Internet firewalls, virtual private cloud (VPC) firewalls, Domain Name System (DNS) firewalls, and assets that are protected by secure forward proxies.

Procedure

Before you can use centralized account management, you must enable a resource directory, specify a delegated administrator account, and then invite members. This way, you can add multiple members by using centralized account management to manage the members in a centralized manner.

Step 1: Enable a resource directory

The Alibaba Cloud account that you use to enable a resource directory must pass enterprise real-name verification. An account that passed only individual real-name verification cannot be used to enable a resource directory.

To check whether the current account passed the enterprise real-name verification, perform the following operations in the console: Move the pointer over the profile picture in the upper-right corner and click Security Settings. On the Security Settings page, check whether the current account passed the enterprise real-name verification.Account that passed the enterprise real-name verification
  1. Log on to the Resource Management console by using the management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Overview.
  3. On the Overview page, click Enable Resource Directory.
  4. In the Enable Resource Directory dialog box, click OK.
    After the resource directory is enabled, the current account is specified as the management account of the resource directory and has full permissions on the resource directory. The management account is formerly known as the master account.

Step 2: Invite a member

  1. Log on to the Resource Management console by using the management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Invite Member.
  3. On the Invite Member page, click Invite Member Account.
  4. In the Invite Member Account panel, configure the Account ID/Logon Email and Remarks parameters. Then, read the risk information and select the check box for the risk information.
    Note If you enter an email address of an Alibaba Cloud account, it must be the email address that you specified when you created the account. You can enter multiple account IDs or email addresses at a time. Separate them with commas (,).
  5. Click OK.
    After an Alibaba Cloud account joins a resource directory, it becomes a member that is managed in the resource directory. You can specify the invited member as a delegated administrator account.

Step 3: Add a delegated administrator account.

  1. Log on to the Resource Management console by using the management account of your resource directory.
  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.
  3. On the Trusted Services page, find Cloud Firewall in the Service column and click Manage in the Actions column.
  4. On the Cloud Firewall page, click Add.
  5. In the Add Delegated Administrator Account panel, select a member.
  6. Click OK.
    Then, you can use the added delegated administrator account to access the Central Account Management page of Cloud firewall and perform administrative operations within the resource directory.

Step 4: Add multiple members

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Settings > Central Account Management.
  3. On the Central Account Management page, click Add Member Account.
  4. In the Add Member Account dialog box, select the members that can be added and add them to the Selected Member Accounts section in the right area.
  5. In the Selected Member Accounts section, select the required members and click OK.
    Add Member Account
    After you add multiple members, you can view the details about each account and delete an added member. The details include the unique identifier (UID) and name of each account. You can also view the cloud assets within an added member on the Internet Firewall, VPC Firewall, DNS Firewall, or Security Forward Proxy page, and enable or disable protection for the assets.
Notice After you add a member, Cloud Firewall can access the resources of the member by default. If a VPC firewall protects the VPCs that are attached to a Cloud Enterprise Network (CEN) instance and the VPCs are created by different Alibaba Cloud accounts, you must manually authorize Cloud Firewall to access the cloud resources within the Alibaba Cloud accounts to which the VPCs belong. For more information, see Authorize Cloud Firewall to access other cloud resources.