Delegated administrator accounts can separate organization management tasks from business management tasks. You can use the management account of a resource directory to perform the organization management tasks of the resource directory, and use delegated administrator accounts to perform the business management tasks of Resource Orchestration Service (ROS). This is in line with the best practices. You can specify a member account of the resource directory as a delegated administrator account based on your business requirements. This way, you can use the member account as the administrator account to deploy stacks within other member accounts in ROS.


Background information

After you specify a delegated administrator account in ROS, the management account can authorize the delegated administrator account to perform operations. For example, the management account can authorize the delegated administrator account to access the information about organizations and members of the resource directory, and manage ROS stack groups, stack instances, and stacks.

For more information, see Management accounts and Delegated administrator accounts.

Add a delegated administrator account

You can log on to the Resource Management console with the management account and add a delegated administrator account to the resource directory. For more information, see Add a delegated administrator account.

Note You can add a maximum of five delegated administrator accounts in ROS.

Remove a delegated administrator account

If you remove a delegated administrator account, specific configurations may become temporarily invalid. Exercise caution when you remove a delegated administrator account. For more information about how to remove a delegated administrator account, see Remove a delegated administrator account.

After you remove the delegated administrator account, the account becomes a member account and the following changes take effect for the account:

  • The stack groups and stack instances within the account are automatically retained.
  • The account cannot perform operations on the stack instances that are created in the service-managed stack groups. For example, the account cannot create, update, or delete the stack instances.
  • The trusted access feature is automatically disabled for the account.