All Products
Search

This Product

    Network Intelligence Service:Multi-account management

    Document Center

    Network Intelligence Service:Multi-account management

    Last Updated:Mar 12, 2025

    You can invite multiple Alibaba Cloud accounts as member accounts to join a resource directory on the Trusted Services page of the Resource Management console and delegate a member account as the administrator account of the resource directory. The delegated administrator account can maintain the resources in all member accounts in the Network Intelligence Service (NIS) console.

    Limits

    • The resource directory and NIS multi-account management features are available only for the Alibaba Cloud accounts that have passed enterprise real-name verification.

    • You can use the multi-account management feature of NIS to manage only reachability analyzer, Cloud Enterprise Network (CEN) topology, and Virtual Private Cloud (VPC) topology.

    Procedure

    Before you use the multi-account management feature of NIS, you must enable a resource directory, invite member accounts to join the resource directory, enable the multi-account management feature in NIS, and specify a delegated administrator account to manage the member accounts in a centralized manner.

    image

    Step 1: Enable a resource directory

    Log on to the Account Center console. On the Basic Information page, check whether the real-name registration information of the current account reveals the account is an enterprise real-name account. Make sure that the invited member accounts are also enterprise real-name accounts.

    1. Log on to the Resource Management console with an Alibaba Cloud account that has passed enterprise real-name verification.

    2. In the left-side navigation pane, choose Resource Directory > Overview.

    3. On the page that appears, click Enable Resource Directory.

    4. In the Confirm Management Account section of the page that appears, select Current Account.

    5. Click Enable.

    6. In the Security Verification dialog box, enter the verification code that is sent to the mobile phone number or email address bound to the current logon account and click OK.

      After you enable the resource directory, the system creates the Root folder and uses the current logon account as the management account of the resource directory.

      In addition, the system creates a service-linked role named AliyunServiceRoleForResourceDirectory within the management account. This role is used to grant access permissions on the resource directory to trusted services that are integrated with the Resource Directory service. For more information about service-linked roles, see RAM roles in a resource directory.

    Step 2: Invite Alibaba Cloud accounts to join the resource directory

    1. Log on to the Resource Management console with the management account.

    2. In the left-side navigation pane, choose Resource Directory > Invite Member.

    3. On the Invite Member page, click Invite Member.

    4. In the Invite Member dialog box, configure the following parameters:

      • Account ID or Logon Email Address: the ID or email address of the Alibaba Cloud account that you want to invite. This parameter is required.

        If you want to enter the email address of an Alibaba Cloud account, you must enter the email address that you specified when you created the account. You can enter multiple account IDs or email addresses. Separate the account IDs or email addresses with commas (,).

      • Remarks: the remarks of the invitation. This parameter is optional.

        You need to enter appropriate remarks. The remarks help the invitee confirm the credibility of the invitation and quickly complete the invitation process.

      • Tag: the tags that you want to add to the account. This parameter is optional.

      • Owned By (Folder): the folder to which the account belongs. This parameter is optional. By default, the account belongs to the Root folder. You can click Modify to place the account in another folder.

    5. Read the risk warning and select the check box.

    6. Click OK.

      Note

      • If you enter an email address for an invitation, the system sends a confirmation email to the email address.

      • If you enter an account ID for an invitation, the system sends a confirmation email to the email address that is associated with the account.

      • If you enter an account ID for an invitation but no email address is associated with the account, the invitee can log on to the Resource Management console to view and process the invitation.

    After the invited Alibaba Cloud account joins your resource directory, it becomes a member of the resource directory and is managed by the resource directory.

    • By default, the name of the Alibaba Cloud account is used as the display name of the member in the resource directory. You can use the management account of the resource directory to change the display name of the member but cannot change the name of the Alibaba Cloud account.

    • The system creates a RAM role named ResourceDirectoryAccountAccessRole for the member and assigns the role to the management account of the resource directory for centralized management.

    • You can use the management account of the resource directory to change the location of the member in the resource directory.

    Step 3: Enable multi-account management in NIS

    You can use an enterprise management account or a delegated administrator account to enable multi-account management.

    1. Log on to the NIS console.

    2. In the left-side navigation pane, choose Configure > Enterprise Multi-account Management.

    3. On the Enterprise Multi-account Management page, click Enable NIS Multi-account Management.

    4. On the Enterprise Multi-account Management page, the message "The administrator can manage the resources that belong to other accounts in the same resource directory" appears. This indicates that the multi-account management feature is enabled. You can enable multi-account management for the following NIS features: For more information, see Usage examples.

      • Reachability analyzer

      • CEN topology

      • VPC topology

    Step 4: Specify a delegated administrator account

    By default, the enterprise management account of your resource directory serves as the super administrator of your enterprise. To achieve best practices in Internet management and minimize human errors, the enterprise management account must focus on the organizational management of resource directories instead of resource configuration management. To this end, you can use the enterprise management account to specify a member account as the delegated administrator account that has the permissions to view and manage the network assets of all member accounts in a centralized manner in NIS.

    1. Use the enterprise management account to log on to the Resource Management console.

    2. In the left-side navigation pane, choose Resource Directory > Trusted Services.

    3. On the Trusted Services page, find Network Intelligence Service in the Service column, and click Manage in the Actions column.

    4. On the Network Intelligence Service page, click Add in the Delegated Administrator Accounts section.

    5. In the Add Delegated Administrator Account panel, select a member account and click OK.

      After you specify a delegated administrator account, you can use the account to access the multi-account management module in NIS and manage the resource directory of the organization.

    Usage examples

    Access CEN topology in multi-account mode

    1. Use the delegated administrator account to log on to the NIS console.

    2. In the left-side navigation pane, choose Network Topology > CEN Topology.

    3. On the CEN Topology page, click 设置图标new and turn on Access in Multi-account Mode.

    4. Select a member account and the ID of a CEN instance in the member account, and click Generate Topology to view and manage the cloud networking of the CEN instance. For more information, see Work with CEN topology.

    Access VPC topology in multi-account mode

    1. Use the delegated administrator account to log on to the NIS console.

    2. In the left-side navigation pane, choose Network Topology > VPC Topology.

    3. On the VPC Topology page, click 设置图标new and turn on Access in Multi-account Mode.

    4. Select a member account, a region, and the ID of a VPC instance in the member account, and click Generate Topology to view and manage the topology of the VPC instance. For more information, see Work with VPC topology.

    Access reachability analyzer in multi-account mode

    1. Use the delegated administrator account to log on to the NIS console.

    2. In the left-side navigation pane, choose Self-service Diagnostics > Reachability Analyzer.

    3. Click Start Analyzing. On the Start Analyzing page, click 设置图标new and turn on Access in Multi-account Mode.

    4. Select a member account, configure relevant parameters, and click Start Analyzing. On the Analysis Details section, view the analysis result. For more information, see Work with the reachability analyzer.