To prepare for migration to the cloud, you can make a plan for identity and permission management. This reduces risks related to identity authentication and permission control and improves the efficiency of multi-account management after your business is migrated to the cloud. Cloud Governance Center allows you to initialize identities and permissions by using a wizard. This allows you to configure identities and permissions for multiple member accounts in your resource directory in a centralized manner. In addition, Cloud Governance Center provides permission configuration templates that are designed based on best practices and allows you to configure baselines for identities and permissions. This facilitates subsequent and continuous identity and permission management.

Overview

Cloud Governance Center provides the following two methods for managing identities and permissions. You can select one of the methods as needed.

  • Method 1: Manage identities and permissions by using CloudSSO (Recommended)

    CloudSSO is integrated with Alibaba Cloud Resource Directory to provide centralized multi-account identity management and access control. You need to configure settings only once to manage identities and permissions for multiple accounts. If you are new to the cloud, we recommend that you use CloudSSO to manage identities and permissions. For more information about CloudSSO, see What is CloudSSO?

  • Method 2: Manage identities and permissions by using role-based SSO

    Role-based single sign-on (SSO) provided by Resource Access Management (RAM) allows you to manage identities and permissions within a single Alibaba Cloud account. If you have used RAM to manage identities and permissions for most of your business in the cloud, you can continue to use this method. For more information about role-based SSO, see Overview.

Method 1: Manage identities and permissions by using CloudSSO (Recommended)

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Initialization Tasks.
  3. On the Initialization Tasks page, click Initialization Task for Identities and Permissions.
  4. Click Start next to Task1: Select a management solution.
  5. On the Task1: Select a management solution page, select Use Cloud SSO and click Next.
  6. On the Task2: Configure Identity and Permission Management page, activate CloudSSO and configure integration with external identities.
    Note If you have activated CloudSSO in the CloudSSO console and completed integration configurations for external identities, Cloud Governance Center automatically synchronizes the configurations. In this case, you can skip this step.
    1. On the activation page of CloudSSO, select the region in which you want to create the CloudSSO directory, enter the name of the CloudSSO directory, and then click Activate Now.
      • Region

        You can select a region near the region in which you store the business data to ensure security. For more information, see Create the CloudSSO directory

      • Directory Name

        The directory name must be globally unique. You can prefix the directory name with the name of your enterprise to ensure that the directory name is unique.

    2. After CloudSSO is activated, click Next.
    3. On the Configure Identity Integration page, configure the logon method and click Next.
      • SSO Logon

        If you want to allow users to log on to the Alibaba Cloud Management Console by using the accounts provided by your on-premises identity management system, you can select SSO as the logon method. In this case, Alibaba Cloud is the service provider (SP), and the identity management system is the identity provider (IdP). You need to upload the metadata file provided by the IdP. For more information, see Overview

      • Username-password Logon

        If you do not have an identity management system, you can create users in CloudSSO. Then, the users can log on to the Alibaba Cloud Management Console by using usernames and passwords. We recommend that you enable multi-factor authentication (MFA) to improve logon security.

  7. On the Task2: Configure Identity and Permission Management page, click Next.
  8. On the Task3: Create Access Configuration page, view the built-in access configurations, specify the maximum session durations for the access configurations, and then click OK.
    The following table describes the built-in access configurations provided by Cloud Governance Center based on best practices. The access configurations are automatically provisioned in CloudSSO. You can then easily bind these access configurations to specified accounts in CloudSSO.
    Access configuration Permission description
    Administrator Provides full permissions to manage all Alibaba Cloud resources of your enterprise.
    Iam Provides the permissions to manage the identities and permissions of the accounts of your enterprise that are used for logging on to the Alibaba Cloud Management Console.
    Billing Provides the permissions related to financial management, such as the permissions to query and manage bills, account balances, invoices, and contracts.
    AuditAdministrator Provides full permissions on Cloud Config, ActionTrail, and Log Service, and the permissions to view the status of all resources.
    LogAdministrator Provides the permissions to manage logs.
    LogAudit Provides the permissions to view logs.
    NetworkAdministrator Provides the permissions related to network services and security groups.
    SecurityAudit Provides the permissions to query data related to security services, excluding the permissions to manage configurations of the security services.
    SecurityAdministrator Provides the permissions to manage all security services.

    For more information about access configurations, see Overview.

  9. Click OK.
  10. Click Close.
    After the initialization task is complete, you can click Identities and Permissions in the left-side navigation pane to manage identities and permissions. You can perform the following operations:
    • View the progress of the initialization task.
    • Download the metadata file provided by the SP.
      Note If you specify the SSO logon method, you need to download the metadata file provided by the SP and configure the SP in your identity management system. For more information, see Overview
    • Update or delete the metadata file provided by the IdP.
    • View the access configurations.

Method 2: Manage identities and permissions by using role-based SSO

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Initialization Tasks.
  3. On the Initialization Tasks page, click Initialization Task for Identities and Permissions.
  4. Click Start next to Task1: Select a management solution.
  5. On the Task1: Select a management solution page, select Use Role-based SSO and click Next.
  6. On the Task2: Configure Identity and Permission Management page, upload the metadata file provided by the IdP and click Next.
  7. Cloud Governance Center automatically configures the IdP for all members of your resource directory. After that, click Next.
  8. On the Task3: Create Access Configuration page, view the built-in RAM roles provided by Cloud Governance Center, specify the maximum session durations for the RAM roles, and then click OK.
    The following table describes the built-in RAM roles provided by Cloud Governance Center based on best practices. The RAM roles are automatically created and attached specific policies for all members of your resource directory.
    RAM role Permission description
    AliyunReservedGovernance-Administrator Provides full permissions to manage all Alibaba Cloud resources of your enterprise.
    AliyunReservedGovernance-Iam Provides the permissions to manage the identities and permissions of the accounts of your enterprise that are used for logging on to the Alibaba Cloud Management Console.
    AliyunReservedGovernance-Billing Provides the permissions related to financial management, such as the permissions to query and manage bills, account balances, invoices, and contracts.
    AliyunReservedGovernance-AuditAdministrator Provides full permissions on Cloud Config, ActionTrail, and Log Service, and the permissions to view the status of all resources.
    AliyunReservedGovernance-LogAdministrator Provides the permissions to manage logs.
    AliyunReservedGovernance-LogAudit Provides the permissions to view logs.
    AliyunReservedGovernance-NetworkAdministrator Provides the permissions related to network services and security groups.
    AliyunReservedGovernance-SecurityAudit Provides the permissions to query data related to security services, excluding the permissions to manage configurations of the security services.
    AliyunReservedGovernance-SecurityAdministrator Provides the permissions to manage all security services.
  9. Click OK.
  10. Click Close.
    After the initialization task is complete, you can click Identities and Permissions in the left-side navigation pane to manage identities and permissions. You can perform the following operations:
    • View the progress of the initialization task.
    • Download the metadata file provided by the SP.
      Note To implement SSO access, you need to download the metadata file provided by the SP and configure the SP in your identity management system. For more information, see Overview
    • Update or delete the metadata file provided by the IdP.
    • View the RAM roles.