Before you migrate your business to the cloud, we recommend that you create a solution for managing identities and permissions. This helps reduce the risks related to identity authentication and permission control and improves the efficiency of multi-account management after your business is migrated to the cloud. Cloud Governance Center allows you to initialize identities and permissions by using a wizard. This way, you can configure identities and permissions for multiple member accounts in your resource directory in a centralized manner. Cloud Governance Center also provides a common access configuration template and baselines for identity management and permission management based on the best practices. This way, you can perform continuous governance on your enterprise.

Background information

CloudSSO is integrated with Alibaba Cloud Resource Directory to provide centralized multi-account identity management and access control. You can configure settings only once to manage the identities and permissions of multiple accounts. We recommend that you use CloudSSO to manage identities and permissions. For more information, see What is CloudSSO?.

Initialize identities and permissions

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click LandingZone Setup.
  3. In the Standard Blueprint or Standard Blueprint (CEN) section, click Build.
    In this example, a standard blueprint is used.
  4. In the Added Items section of the Configure Blueprint page, click CloudSSO.
    Note If the item that you want to configure does not exist in the Added Items section, click Add Item. In the dialog box that appears, select the item and click Add.
  5. Configure CloudSSO parameters.
    1. In the Basic Information section, configure the following parameters:
      • Region

        To ensure data security, you can select a region that is close to the region where your business data resides. For more information, see Create the CloudSSO directory.

      • Catalog Name

        The directory name must be globally unique. To prevent duplicate names, you can prefix the directory name with the name of your enterprise.

      • Logon Timeout

        The maximum period of a logon session in which a CloudSSO user can use an account in your resource directory to perform specific operation by using the access configurations. Unit: seconds. Valid values: 3600 to 43200 (1 hour to 12 hours). Default value: 3600 (1 hour).

    2. In the Access Configuration Template section, view the access configuration template predefined in Cloud Governance Center.
      The following table describes the predefined access configurations of Cloud Governance Center based on the best practices. The access configurations are automatically provisioned for CloudSSO. This way, you can bind the access configurations to specified accounts in CloudSSO.
      Access configuration Permission
      Administrator Grants full permissions on all Alibaba Cloud resources of your enterprise.
      Iam Grants the permissions to manage the identities and permissions of all enterprise accounts that can be used to log on to the Alibaba Cloud Management Console.
      Billing Grants financial management permissions, such as the permissions to query and manage bills, account balances, invoices, and contracts.
      AuditAdministrator Grants full permissions on Cloud Config, ActionTrail, and Log Service, and the permissions to view the status of all resources.
      LogAdministrator Grants the permissions to manage logs.
      LogAudit Grants the permissions to view logs.
      NetworkAdministrator Grants the permissions related to network services and security groups.
      SecurityAudit Grants the permissions to query data related to security services, excluding the permissions to manage configurations of the security services.
      SecurityAdministrator Grants the permissions to manage all security services.

      For more information about access configurations, see Overview.

Manage identities and permissions

After you initialize the identities and permissions, you can view or modify the configuration information about CloudSSO.

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, choose Management and Governance > Identities and Permissions.
  3. On the IdP Information tab, download the metadata file of the identity provider (IdP) or modify the configuration information about the IdP.
  4. On the Access Configuration Template tab, view the details of access configurations.