Resource Directory supports resource-level authorization. Use Resource Access Management (RAM) or CloudSSO to delegate folder-level management to department administrators.
Scenarios
For large enterprises with multiple subsidiaries, the cloud management or O&M team typically manages the resource directory management account. The team can delegate management to subsidiary administrators, enabling independent resource management.
The following example uses Company Y, which has two business departments. Company Y delegates management to each department's O&M administrator, who independently manages account structures and employee permissions.
|
Department |
Administrator |
Duty |
|
Security department |
Mike |
Manages security control policies globally for the company. |
|
Business Department 1 |
Alice |
O&M administrator of Business Department 1. Can create resource accounts, organizations, control policies, and notification contacts only within Business Department 1. |
|
Business Department 2 |
Bob |
O&M administrator of Business Department 2. Can create resource accounts, organizations, control policies, and notification contacts only within Business Department 2. |
Solutions
Hierarchical management provides fine-grained permission control over resource scopes and operations.
Resource Directory supports resource-level authorization. Specify operations in the Action element and resources in the Resource element of a RAM policy to control access at the resource level. For more information, see the RAM authorization section in the RAM authorization topic.
Select a solution based on your requirements:
Solution 1: Use RAM to perform hierarchical management
-
Enable a resource directory.
Create an Alibaba Cloud account, complete enterprise real-name verification, enable a resource directory, and create folders named
Business Department 1andBusiness Department 2in the resource directory. The administrator of Company Y can be an employee in the financial department. For more information about how to enable a resource directory and create a folder in the resource directory, see Enable a resource directory and Create a folder.This account becomes the management account of the resource directory.
-
Create a RAM user named
Mikeand grant permissions to configure global control policies.The administrator of Company Y uses the management account of the resource directory to log on to the RAM console, creates a RAM user named
Mike, creates an AccessKey pair, and attaches the following custom policy. For more information, see Create a RAM user, Create a custom policy, and Grant permissions to RAM users.Policy document:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*" ], "Resource": [ "acs:resourcemanager:*:*:account/*", "acs:resourcemanager:*:*:folder/*", "acs:resourcemanager:*:*:policy/controlpolicy/*" ] }, { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListAccount*", "resourcemanager:GetFolder*", "resourcemanager:ListFolder*", "resourcemanager:GetAccount", "resourcemanager:GetControlPolicy*", "resourcemanager:ListControlPolicies", "resourcemanager:ListControlPolicyAttachmentsForTarget", "resourcemanager:ListTargetAttachmentsForControlPolicy", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" } ] } -
Create a RAM user named
Aliceand grant management permissions on theBusiness Department 1folder.The administrator of Company Y uses the management account of the resource directory to log on to the RAM console, creates a RAM user named
Alice, creates an AccessKey pair, and attaches the following custom policy. For more information, see Create a RAM user, Create a custom policy, and Grant permissions to RAM users.Policy document:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 1 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 1 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", // The RDPath of the Business Department 1 folder. "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] } -
Create a RAM user named
Boband grant management permissions on theBusiness Department 2folder.The administrator of Company Y uses the management account of the resource directory to log on to the RAM console, creates a RAM user named
Bob, creates an AccessKey pair, and attaches the following custom policy. For more information, see Create a RAM user, Create a custom policy, and Grant permissions to RAM users.Policy document:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 2 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 2 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", // The RDPath of the Business Department 2 folder. "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] } -
Verify the result.
Use the AccessKey pairs of
Mike,Alice, andBobto call the API operations of Resource Directory to access their authorized resources. IfAlicecan only operate within theBusiness Department 1folder andBobcan only operate within theBusiness Department 2folder, the configuration is correct.
Solution 2: Use CloudSSO to perform hierarchical management
-
Enable a resource directory.
Create an Alibaba Cloud account, complete enterprise real-name verification, enable a resource directory, and create folders named
Business Department 1andBusiness Department 2in the resource directory. The administrator of Company Y can be an employee in the financial department. For more information about how to enable a resource directory and create a folder in the resource directory, see Enable a resource directory and Create a folder.This account becomes the management account of the resource directory.
-
Create a CloudSSO user named
Mikeand grant permissions to configure global control policies.The administrator of Company Y uses the management account of the resource directory to log on to the CloudSSO console, creates a CloudSSO user named
Mike, specifies a logon password for Mike, creates an access configuration, and then provisions the access configuration for the management account of the resource directory forMike. For more information, see Create a user, Create a permission set, and Assign access to a member account.Inline policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*" ], "Resource": [ "acs:resourcemanager:*:*:account/*", "acs:resourcemanager:*:*:folder/*", "acs:resourcemanager:*:*:policy/controlpolicy/*" ] }, { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListAccount*", "resourcemanager:GetFolder*", "resourcemanager:ListFolder*", "resourcemanager:GetAccount", "resourcemanager:GetControlPolicy*", "resourcemanager:ListControlPolicies", "resourcemanager:ListControlPolicyAttachmentsForTarget", "resourcemanager:ListTargetAttachmentsForControlPolicy", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" } ] } -
Create a CloudSSO user named
Aliceand grant management permissions on theBusiness Department 1folder.The administrator of Company Y uses the management account of the resource directory to log on to the CloudSSO console, creates a CloudSSO user named
Alice, specifies a logon password for Alice, creates an access configuration, and then provisions the access configuration for the management account of the resource directory forAlice. For more information, see Create a user, Create a permission set, and Assign access to a member account.Inline policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 1 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 1 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", // The RDPath of the Business Department 1 folder. "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] } -
Create a CloudSSO user named
Boband grant management permissions on theBusiness Department 2folder.The administrator of Company Y uses the management account of the resource directory to log on to the CloudSSO console, creates a CloudSSO user named
Bob, specifies a logon password for Bob, creates an access configuration, and then provisions the access configuration for the management account of the resource directory forBob. For more information, see Create a user, Create a permission set, and Assign access to a member account.Inline policy:
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListTagKeys", "resourcemanager:ListTagValues" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "resourcemanager:*Account*", "resourcemanager:*Parent*", "resourcemanager:*Folder*", "resourcemanager:*Handshake*", "resourcemanager:*Contact*", "resourcemanager:*Members*", "resourcemanager:*ControlPolicy*", "resourcemanager:*ControlPolicies*", "resourcemanager:*SendVerificationCodeFor*", "resourcemanager:*BindSecureMobilePhone*" ], "Resource": [ "acs:resourcemanager:*:*:account/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 2 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****/*", // The RDPath of the Business Department 2 folder. "acs:resourcemanager:*:*:folder/rd-3G****/r-Wm****/fd-bqp2FA****", // The RDPath of the Business Department 2 folder. "acs:resourcemanager:*:*:handshake/*", "acs:resourcemanager:*:*:policy/controlpolicy/*", "acs:resourcemanager:*:*:messagecontact/*" ] }, { "Effect": "Deny", "Action": [ "resourcemanager:DeleteControlPolicy", "resourcemanager:UpdateControlPolicy", "resourcemanager:DisableControlPolicy", "resourcemanager:EnableControlPolicy", "resourcemanager:DeleteMessageContact", "resourcemanager:UpdateMessageContact", "resourcemanager:CancelMessageContactUpdate", "resourcemanager:CancelHandshake" ], "Resource": "*" } ] } -
Verify the result.
Use Alibaba Cloud CLI to log on to the CloudSSO user portal separately as
Mike,Alice, andBob. Then, run commands in Alibaba Cloud CLI to access their authorized resources. IfAlicecan only operate within theBusiness Department 1folder andBobcan only operate within theBusiness Department 2folder, the configuration is correct. For information about how to use Alibaba Cloud CLI to log on to the CloudSSO user portal, see Use Alibaba Cloud CLI to access log on to the CloudSSO user portal.NoteAfter configuring the CloudSSO hierarchical management solution, you can manage authorized resources only through CLI, not through the CloudSSO console.