This topic describes the terms related to Resource Management.

Resource Management

Terms related to Resource Directory

Term Description
management account

A management account is an account that is used to enable a resource directory and is the super administrator of the resource directory. The management account has all administrative permissions on the resource directory and the members in the resource directory. Only an Alibaba Cloud account that has passed enterprise real-name verification can be used as a management account. Each resource directory has only one management account.

To ensure the security of the management account, we recommend that you create an Alibaba Cloud account and use the Alibaba Cloud account as the root user of the management account. Do not use an existing Alibaba Cloud account to enable a resource directory. You can also create a RAM user for the management account, grant the administrator permissions to the RAM user, and use the RAM user to manage the entire resource directory. Only the management account of a resource directory or a RAM user that has the administrator permissions can be used to perform operations in the resource directory.

Note A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory.
Root folder The Root folder is the parent folder of all the other folders in a resource directory. These folders are organized in a hierarchy that starts from the Root folder.
folder A folder is an organizational unit in a resource directory. A folder may indicate a branch, line of business, or project of an enterprise. Each folder can contain members and subfolders, which forms a tree-shaped organizational structure.
member

A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

  • Resource account

    A member that is created in a resource directory is a resource account. The root users of resource accounts are disabled. Therefore, resource accounts provide higher security. For more information about how to create a resource account, see Create a member.

  • Cloud account

    A member that is invited to join a resource directory is a cloud account. The root users of cloud accounts are enabled. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an Alibaba Cloud account to join a resource directory.

RDP A resource directory path (RDP) indicates the location of a resource entity (folder or member) in a resource directory. The RDP of a resource entity consists of the ID of the resource entity, IDs of all the parent folders of the resource entity, and ID of the resource directory to which the resource entity belongs. An RDP is in one of the following formats:
  • RDP of a folder: <ID of the resource directory to which the folder belongs>/<ID of the Root folder in the resource directory>/.../<ID of the folder>.
  • RDP of a member: <ID of the resource directory to which the member belongs>/<ID of the Root folder in the resource directory>/.../<ID of the member>. For example, the RDP of the member 181761095690**** is rd-r4****/r-oG****/fd-RIErN0****/fd-XVxh6D****/181761095690****.

For more information about how to view the RDP of a folder or member, see View the basic information of a folder or View the detailed information of a member.

access control policy An access control policy enables you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner. Access control policies are implemented based on the resource directory. You can use access control policies to develop common or dedicated rules for access control. Access control policies do not grant permissions but only define permission boundaries. Before you use an account that is a member of your resource directory to access resources, you must grant the required permissions to the account by using the Resource Access Management (RAM) service.

For more information about access control policies, see Overview.

trusted service A trusted service refers to an Alibaba Cloud service that is integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory and the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

For more information about trusted services, see Overview.

delegated administrator account The management account of a resource directory can be used to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access the information of the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements.

For more information about how to add or remove a delegated administrator account, see Manage a delegated administrator account.

Terms related to Resource Group

Term Description
resource group You can sort resources owned by your Alibaba Cloud account into various resource groups. This facilitates resource management among multiple projects or applications within your Alibaba Cloud account and simplifies permission management.
Resource Meta Center The metadata of a resource refers to the attribute information about the resource. The information includes the name, IP address, and tags of the resource. The Resource Meta Center (RMC) service allows you to search for resources that belong to different resource groups, cloud services, or resource types by using the metadata of the resources.

Terms related to Resource Sharing

Term Description
resource share A resource share is an instance of the Resource Sharing service. It is also a resource and has a unique ID and an Alibaba Cloud Resource Name (ARN). A resource share consists of a resource owner, principals, and shared resources.
resource owner A resource owner initiates resource sharing and owns shared resources.
principal A principal is invited to use the resources of resource owners and has specific operation permissions on the shared resources.
Note The operation permissions of each principal on the shared resources are determined by the Alibaba Cloud service to which the resources belong. For example, the operation permissions of principals on the shared vSwitches in a VPC are determined based on the VPC service. For more information, see Permissions related to VPC sharing.
shared resource A shared resource is a resource of an Alibaba Cloud service. For more information about the types of resources that can be shared, see Services that work with Resource Sharing.
resource sharing Resource sharing allows you to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For more information, see Enable resource sharing.

Terms related to Tag

Term Description
key-value pair

A tag consists of a key-value pair.

custom tag A custom tag is created by a user. For more information, see Add a custom tag.
preset tag A preset tag is a tag that you create in advance and is added to the resources in all regions. You can create preset tags in the stage of tag planning and add them to specific resources in the stage of tag implementation. The system provides some common built-in types for preset tags. This allows you to quickly plan tag systems. For more information, see Create a preset tag.
system tag A system tag is defined by the system. You can only query system tags. System tags present data relationships in a standard manner. In some specific cases, you can use system tags to assist in processing your business. For example, a cluster is associated with an Elastic Compute Service (ECS) instance, and the system adds the system tag of the cluster ID to the ECS instance. This way, you can determine the attribution of the ECS instance based on the system tag. For more information, see View system tags and the resources to which a system tag is added.
tag editor The tag editor is a tool that is used to manage resource tags in a centralized manner. You can use the tag editor to search for resources that belong to different Alibaba Cloud services and reside in different regions. In addition, you can use the tag editor to add, modify, or remove tags for multiple resources at a time, and export resource lists.
createdby tag createdby tags are a type of system tag that is generated by Alibaba Cloud and automatically added to resources. This type of tag is used to identify the creators of resources. createdby tags can help you analyze costs and bills and manage the costs of resources in an efficient manner. For more information, see Overview.
tag policy Tag policies are used to standardize the tags that are added to resources. You can use a tag policy to define the tags that must be added to your resources. Compliant tags can help you improve the efficiency in aspects such as cost allocation by tag, access control by tag, and automated O&M. Tag policies support the single-account mode and multi-account mode. The two modes can meet your business requirements for standardized tag management in different stages. For more information, see Overview.