To help you improve enterprise information security and implement enterprise-level account management, Enterprise Distributed Application Service (EDAS) provides a built-in account system. In addition, EDAS is connected to the account system of Resource Access Management (RAM). The built-in account system of EDAS is gradually migrated to the account system of RAM.
The account system contains Alibaba Cloud accounts, RAM users, sub-accounts, and roles. The sub-accounts are built in EDAS and are not recommended.
- Alibaba Cloud account
In EDAS, an Alibaba Cloud account owns all resources within the account and has full operation permissions on EDAS. The Alibaba Cloud account used to purchase the EDAS service is also the billing account.
In the EDAS console, choosein the left-side navigation pane to view the maximum number of application instances allowed, the number of existing application instances, and the edition of EDAS within the Alibaba Cloud account.Note You can bind the billing account of EDAS to other Alibaba Cloud accounts for which EDAS is not activated. To unbind the billing account of EDAS from other Alibaba Cloud accounts, submit a ticket.
- RAM user
EDAS supports the account system of RAM. When you use EDAS, we recommend that you use the account system of RAM. You can use the Alibaba Cloud account that is used to purchase the EDAS service to log on to the RAM console, create RAM users, and then grant minimum permissions to the RAM users as needed. This allows you to complete different types of jobs by using different user identities for efficient enterprise management.
In the EDAS console, choosein the left-side navigation pane to view the following information and perform the following operations:
- Log on to the EDAS console by using your Alibaba Cloud account. You can view all the RAM users within the Alibaba Cloud account.
- On the RAM User page, click Synchronize RAM User in the upper-right corner to synchronize RAM users.
- Sub-accounts that are configured with EDAS-defined permissions and are not switched to RAM users can be used to manage roles and manage applications and resource groups.
- You can switch built-in EDAS sub-accounts to RAM users. For more information, see Replace EDAS-defined permissions with RAM policies.
- Built-in EDAS sub-account (not recommended)
EDAS provides independent sub-accounts in its original account system. You can no longer create sub-accounts in EDAS. We recommend that you switch your existing sub-accounts to RAM users. For more information, see Replace EDAS-defined permissions with RAM policies.Note Before you switch built-in EDAS sub-accounts to RAM users, you can still manage their permissions. For more information, see Manage EDAS-defined permissions (not recommended).
A role is a virtual user who owns a series of specified permissions. A role does not have a specific AccessKey pair. A role can be used only after the role is assumed by a trusted entity.
In EDAS, you can create roles and can also use RAM roles.
A policy is a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.
Policies can be created only in RAM. The built-in permission control mode of EDAS can authorize only sub-accounts to manage applications or resource groups.
This section describes three scenarios of the EDAS account system.
- Scenario 1
A company uses Account A to purchase the EDAS service. Account A is a billing account and also an Alibaba Cloud account. Two departments in the company need to use EDAS. Therefore, Sub-accounts or RAM users B and C can be created within Account A for the two departments and granted the management permissions of EDAS. This way, the two departments can use EDAS by using Sub-accounts or RAM users B and C without purchasing this service again.
- Scenario 2
If Sub-accounts or RAM users B and C need to use the full features of EDAS, such as creating or running applications, Sub-accounts or RAM users B and C must be used to purchase resources such as Elastic Compute Service (ECS) instances. In this case, Account A that is an Alibaba Cloud account cannot be used to purchase the resources.
- Scenario 3
After resources are prepared, sub-accounts or RAM users are created for departments within three different Alibaba Cloud accounts to grant and manage permissions and resources.
- Account A grants all ECS resources and all permissions to Sub-account or RAM user a.
- Account B creates the application administrator and operations administrator roles and assigns the two roles to Sub-accounts or RAM users b1 and b2.
- Account C creates a role that has the permissions to view applications, and assigns the role to Sub-account or RAM user c.