Enterprise Distributed Application Service (EDAS) provides a built-in account system and is also connected to the account system of Resource Access Management (RAM). The built-in account system is gradually being migrated to RAM. RAM lets you create separate user identities, assign fine-grained permissions, and manage access across Alibaba Cloud services from a single system.
EDAS no longer supports creating built-in sub-accounts. If you still use sub-accounts, migrate them to RAM users. For instructions, see Replace EDAS-defined permissions with RAM policies.
Identity types
The following table summarizes the identity types available in EDAS.
| Identity type | Description | Status |
|---|---|---|
| Alibaba Cloud account | Owns all EDAS resources and has full permissions. Serves as the billing account for EDAS. | Required |
| RAM user | A separate identity created within your Alibaba Cloud account through RAM. Assign only the permissions each user needs. | Recommended |
| Role | A virtual identity with a defined set of permissions but no AccessKey pair. A trusted entity must assume the role before it can be used. EDAS supports both custom roles and RAM roles. | Optional |
| Policy | A structured set of permissions that describes authorized resources, operations, and conditions. Policies can only be created in RAM. | Optional |
| Built-in sub-account | A legacy identity type from the original EDAS account system. No longer available for creation. | Deprecated |
Alibaba Cloud account
The Alibaba Cloud account used to purchase EDAS owns all resources and has full operation permissions. This account is also the billing account.
To view your account details, go to System Management > Alibaba Cloud Account in the EDAS console. This page shows:
The maximum number of application instances allowed
The current number of application instances
The EDAS edition
You can bind the EDAS billing account to other Alibaba Cloud accounts that do not have EDAS activated. To unbind a billing account, submit a ticket.
RAM user
RAM users are the recommended identity type for day-to-day EDAS operations. Create RAM users from the Alibaba Cloud account that purchased EDAS, then grant each user only the permissions they need.
To manage RAM users, go to System Management > RAM User in the EDAS console. When you log in with your Alibaba Cloud account, this page lists all RAM users associated with the account.
To synchronize RAM users from the RAM console, click Synchronize RAM User in the upper-right corner of the page.
Role and policy
A role is a virtual identity with a specific set of permissions but no AccessKey pair. To use a role, a trusted entity must first assume it. EDAS supports both custom roles and RAM roles.
A policy defines authorized resources, operations, and conditions using a structured syntax. All policies are created in RAM. The legacy EDAS permission model only authorizes sub-accounts to manage applications or resource groups. For fine-grained access control, use RAM policies instead.
Migrate from built-in sub-accounts to RAM users
EDAS no longer supports creating built-in sub-accounts. Switch existing sub-accounts to RAM users to unify access control across Alibaba Cloud services.
For step-by-step instructions, see Replace EDAS-defined permissions with RAM policies.
Until you complete the migration, sub-accounts with EDAS-defined permissions can still manage roles, applications, and resource groups. For details on managing legacy permissions, see Manage EDAS-defined permissions (not recommended).
Scenarios
Share one EDAS subscription across teams
A company uses Account A to purchase EDAS. Two departments need access. Instead of purchasing separate subscriptions, the administrator creates sub-accounts or RAM users B and C under Account A and grants each the appropriate EDAS management permissions. Both departments use EDAS through their own sub-accounts or RAM users.
Purchase compute resources as a sub-account or RAM user
Sub-accounts or RAM users B and C need to create and run applications, which requires compute resources such as Elastic Compute Service (ECS) instances. Sub-accounts or RAM users B and C must purchase these resources under their own identity. Account A, as an Alibaba Cloud account, cannot be used to purchase the resources.
Assign permissions across multiple accounts
Three Alibaba Cloud accounts manage EDAS for different teams to grant and manage permissions and resources:
| Account | Sub-account or RAM user(s) | Permissions |
|---|---|---|
| Account A | Sub-account or RAM user a | Full access to all ECS resources and all permissions |
| Account B | Sub-accounts or RAM users b1, b2 | Application administrator and operations administrator roles |
| Account C | Sub-account or RAM user c | View-only access to applications |