All Products
Search
Document Center

Resource Management:Best practices for the management account of a resource directory

Last Updated:Jun 02, 2026

The management account of a resource directory holds all administrative permissions over the directory, its folders, and its members. Each resource directory has only one management account. Because no access control policies apply to it, the management account is a high-privilege root that requires strict access discipline. Follow these best practices to reduce its attack surface and minimize security risk.

Use a management account to perform only required operations

The management account holds all administrative permissions over the members in a resource directory. Restrict its use to operations that require root-level access, and revoke access for anyone who does not need to manage the resource directory.

To separate day-to-day administration from root-level access, create a RAM user for the management account and attach the AliyunResourceDirectoryFullAccess policy to that RAM user. You can then manage the resource directory as the RAM user.

Note

AliyunResourceDirectoryFullAccess grants the highest permissions on resource directories. If the RAM user only needs to perform specific operations, grant only the permissions required for those operations. For a list of available permissions, see Resource Directory.

Deploy no resources within a management account

Access control policies do not apply to management accounts, so they cannot restrict operations performed on resources inside the account. Deploying business resources there requires granting access to business personnel, which significantly increases the account's attack surface. Keep the management account free of business resources.

Use a delegated administrator account to distribute the responsibilities of a management account

Use the management account only to manage the resource directory itself. For service-level business management, use a delegated administrator account of a trusted service.

For example, a security administrator can use a delegated administrator account of Cloud Firewall to perform security management operations in Cloud Firewall without needing any access permissions on the management account of your resource directory.