When SASE is integrated with Resource Directory, a management account or a delegated administrator account can add other Alibaba Cloud accounts in your enterprise as members and apply zero trust policies across all of them from a single console.
Key concepts
The following table describes the three account roles involved in multi-account management:
| Role | Description |
|---|---|
| Management account | The account that owns the resource directory and has full permissions over it. When you enable a resource directory, the current account is specified as the management account. Responsible for organization-level tasks: inviting members, designating delegated administrators, and structuring folders. |
| Delegated administrator account | A member account designated by the management account to handle business management tasks for SASE. It can access the resource directory structure and member list without taking on full organization management responsibilities. This separation keeps organization management and day-to-day policy management in different hands. |
| Member | An Alibaba Cloud account that has accepted an invitation to join the resource directory. Once added to SASE, its access permissions can be managed centrally using zero trust policies. |
Prerequisites
Before you begin, ensure that you have:
An activated SASE instance
Set up multi-account management
The setup involves four steps, completed in order:
Step 1: Enable a resource directory
Resource Directory consolidates all your Alibaba Cloud accounts into a single hierarchical structure organized by folders. After you enable a resource directory, the current account is specified as the management account with full permissions over the directory.
For instructions, see Enable a resource directory.
Step 2: Invite members
Invite the Alibaba Cloud accounts in your enterprise to join the resource directory. Each accepted invitation creates a member account under your resource directory.
For instructions, see Invite an Alibaba Cloud account to join a resource directory.
Step 3: Add a delegated administrator account
Designate one member as the delegated administrator account for SASE. This account can then access the resource directory structure and member list within SASE, and manage business within the resource directory—without needing full management account privileges. This separation lets your organization management account focus on directory structure while the delegated administrator handles business management operations.
For instructions, see Manage a delegated administrator account.
Step 4: Add members in the SASE console
Log on to the SASE console.
In the left-side navigation pane, click Settings.
On the Multi-account Management tab, click Added Member.
In the Added Member dialog box, select the members to import and move them to the The member is selected list.
Click OK.
After the members are added, the member list displays each member's Account UID, Account Name, and Add Time.
Manage members
After adding members, perform the following operations from the Actions column:
Add remarks: Click Remarks, then enter a note to help distinguish this member from others.
Delete a member: Click Delete to remove the member. After deletion, the current account no longer manages that member.