This topic describes how to specify the users or groups that are allowed to access the accounts in a resource directory based on the structure of the resource directory. This topic also describes how to assign access permissions or configurations to users or groups. This topic provides an example on how to assign access permissions on the accounts in your resource directory. In this example, user1 is specified and an access configuration is provisioned for the Sandbox Account member account in the resource directory. This access configuration defines the access permissions only on virtual private cloud (VPC) resources. After the provisioning, user1 can access only VPC resources within Sandbox Account.
- An access configuration is created.
In this example, the in-use access configuration includes the AliyunVPCFullAccess system policy and no inline policies. For more information, see Manage both system and inline policies.
- A user is created or synchronized.
In this example, user1 created in the CloudSSO console is used. For more information, see Create a user.
- Log on to the CloudSSO console.
- In the left-side navigation pane, click Multi-account Permission Configuration.
- On the Multi-account Permission Configuration page, select the required account. In this example, the Sandbox Account member account is selected.
- Click Configure Access Assignments.
- In the Configure Access Assignments panel, select the required user or group and click Next Step. In this example, user1 is selected.
- Select the required access configuration and click Next Step. Note You can select a maximum of five access configurations at a time. If you want to select more access configurations, assign permissions multiple times.
- Confirm the configuration and click Start Configuration.
- Wait until the assignment is complete and click OK.
Verify the assignment result
- Log on to the CloudSSO user portal by using user1. For more information, see Log on to the CloudSSO user portal.
- Click Show Details in the Permission column of Sandbox Account.
- In the panel that appears, find the required access configuration and click Log On in the Actions column.
- Access the VPC resources within Sandbox Account as a RAM role. You can access only the VPC resources because only the access permissions on VPC resources are assigned.