Before you create accounts in the account factory, you must configure the account baseline, including common baseline items related to identities, permissions, networking, and security. This improves the efficiency of creating an account.

Baseline items

The following table describes the supported account baseline items.

Baseline item Description Dependent baseline item References
Configure Trusteeship (default baseline item) You can specify a billing account for members in your resource directory. This helps you perform centralized management of the financial cost for your enterprise. N/A Optional. Step 2: Specify a main account.
Bind CloudSSO User to Current Account (default baseline item) You can configure identities and permissions for multiple members in the resource directory. This helps reduce the risks of identity and permission management and improve the efficiency of multi-account management. N/A Initialize identities and permissions
Protection Rule (default baseline item) You can configure and enable protection rules that are provided by Cloud Config for all members in your resource directory in a centralized manner in the Cloud Governance Center console. This prevents the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center from being modified. This also ensures the security of the multi-account environment. N/A Configure protection rules in a centralized manner
RAM Password Policy You can configure password rules to improve the account security of RAM users. Common password rules include password length, required elements in the password, and the validity period of the password. N/A Configure a password policy for RAM users
VPC A virtual private cloud (VPC) is a private network in the cloud. Each VPC consists of CIDR blocks, vSwitches, and access control lists (ACLs). N/A What is a VPC?
Security Group A security group acts as a virtual firewall to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances to improve security. VPC Overview
Account Contact You can configure contacts to receive notifications for an account. Alibaba Cloud does not disclose or provide contact information to third parties.

N/A What do I do if the contact specified for an account cannot receive notification messages related to finance or Alibaba Cloud services?
Message You can configure recipients for each type of message. We recommend that you configure recipients to receive important messages related to accounts, services, and exceptions. This prevents business loss caused by missing notifications. Account Contact What do I do if the contact specified for an account cannot receive notification messages related to finance or Alibaba Cloud services?
Activate Service Only an account with administrative permissions can activate specific Alibaba Cloud services. If you log on as a RAM user without administrative permissions, you may fail to activate the services. To prevent this issue, you can configure the Activate Service baseline item to specify that the selected Alibaba Cloud services are automatically activated when you create an account. Supported Alibaba Cloud services include Cloud Enterprise Network (CEN), Cloud Data Transfer (CDT), CloudMonitor, and Key Management Service (KMS). N/A
Note The default baseline items cannot be removed. If you do not complete the initialization tasks in the Cloud Governance Center console, the corresponding baseline items are automatically skipped.


  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click Account Factory.
  3. On the Account Factory page, click Settings in the Orchestration for Account Baseline section.
  4. On the Baseline Orchestration page, click Add Baseline Items in the Baseline Orchestration section.
  5. In the Add Baseline Item dialog box, select the baseline items that you want to add and click Add.
    If Baseline Item A depends on Baseline Item B, after you select Baseline Item A, Baseline Item B is automatically selected. For example, if you select Security Group, VPC is automatically selected.
  6. In the Baseline Orchestration section, click the Edit icon or Configure icon icon next to a baseline item to configure this baseline item.
    Note You can click the Delete icon icon to remove the baseline item that you no longer need. By default, you cannot remove the following default baseline items: Configure Trusteeship, Bind CloudSSO User to Current Account, and Protection Rule.
  7. After you set the parameters, click Save.
    In the Baseline Visualization section, you can view the added baseline items.

What to do next

After you configure the account baseline, you can create an account by using the account baseline. For more information, see Create an account.