Access configurations define the permissions and session settings that CloudSSO users receive when accessing accounts in a resource directory.
Elements
Each access configuration includes:
-
Session duration: how long a CloudSSO user's session lasts when accessing an account through this access configuration.
-
Relay state: the initial page displayed when a CloudSSO user accesses an account through this access configuration.
-
Permissions: the set of permissions granted to a CloudSSO user on a resource directory account.
-
System policy: reuses existing Resource Access Management (RAM) system policies.
-
Inline policy: custom policies written in RAM policy syntax that apply only to this access configuration.
-
First-time provisioning
To assign access permissions on an account to a user or group, you specify an access configuration. If the access configuration has not been provisioned before, CloudSSO creates the following resources:
-
A RAM role named
AliyunReservedSSO-<Access configuration name>is created. For example, provisioning TestAccessConfiguration creates a RAM role namedAliyunReservedSSO-TestAccessConfiguration. -
If an inline policy exists, a RAM custom policy named
AliyunReservedSSO-<Access configuration name>-InlinePolicyis created. For example, an inline policy in TestAccessConfiguration createsAliyunReservedSSO-TestAccessConfiguration-InlinePolicy. -
All system policies and inline-policy-derived custom policies are attached to the RAM role.
-
If no access permissions on the account are yet assigned to a CloudSSO user, an identity provider (IdP) named
AliyunReservedSSO-<ID of the CloudSSO directory>is created to enable role-based SSO. For example, if the directory ID isd-x0h0w370****, an IdP namedAliyunReservedSSO-d-x0h0w370****is created.
You can view these RAM roles, custom policies, and IdPs in the RAM console, but you cannot modify or delete them.
Assign access permissions on the accounts in a resource directory.
Re-provision an access configuration
If you make any of the following changes to a provisioned access configuration, you must manually re-provision it. These changes are not automatically applied to the account.
- A system policy is added or removed.
- An inline policy is created, modified, or deleted.
De-provision an access configuration
You can de-provision an access configuration from a resource directory account in the following scenarios:
-
When you remove access permissions from the last CloudSSO identity that uses an access configuration, you can de-provision it at the same time.
-
From the list of access configurations provisioned for an account, de-provision any that are no longer needed.
-
From the list of accounts where an access configuration is provisioned, de-provision it from accounts that no longer need it.