Identity and access management restricts Alibaba Cloud resource access to authorized users, preventing unauthorized operations and meeting audit requirements. Elastic Desktop Service (EDS) Enterprise provides the following IAM capabilities.
Account management
Use a RAM user as an administrator account
An Alibaba Cloud account has full access to all resources, creating security risks. Use a RAM user as an administrator to log on to the Elastic Desktop Service (EDS) Enterprise console and grant only the necessary permissions.
|
End user account lifecycle
Elastic Desktop Service (EDS) Enterprise administrators assign cloud resources such as cloud computers to end user accounts. To maintain security throughout the account lifecycle:
Promptly revoke cloud computer assignments from end user accounts.
Disable accounts as needed.
Promptly delete accounts that are no longer needed.
|
Password validity period
By default, convenience account passwords never expire. You can set a validity period of 30 to 365 days. When a password expires, the end user must change it to log on again.
|
Permission management
Administrator permissions with RAM
In Elastic Desktop Service (EDS) Enterprise, use Resource Access Management (RAM) for fine-grained permission control, allowing different RAM users to manage specific cloud computer resources.
|
Administrator permissions within EDS
When you log on to the Elastic Desktop Service (EDS) console with your Alibaba Cloud account, you have full permissions to access all features and manage all resources. For large organizations with complex structures and numerous cloud computers, relying on a single administrator can create an excessive workload and may violate internal permission isolation policies. To address this, you can create one or more sub-administrators to share management tasks. This approach typically involves the following requirements:
Feature-level permission isolation: For example, sub-administrator A can only create and manage users, but not cloud computers, while sub-administrator B can only view all data.
Data-level permission isolation: For example, sub-administrator C can only manage cloud computers for the R&D department, while sub-administrator D can only manage cloud computers for the design department.
The permission management module in Elastic Desktop Service (EDS) Enterprise addresses these requirements.
|
Identity authentication
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) adds a second verification factor when administrators log on to the console or end users log on to a terminal, protecting accounts and cloud resources beyond password authentication. MFA does not affect API calls made with an AccessKey pair.
|
Specify logon terminals
Each terminal is identified by a universally unique identifier (UUID) — a trusted, tamper-proof, non-forgeable, globally unique identifier. Enable trusted device authentication to restrict each end user to specified terminals.
|
Client logon verification
This feature is disabled by default. When enabled, users logging on to an Alibaba Cloud Workspace terminal from a new device must verify their identity with a code sent by email.
|
Access control
Terminal access control
Cloud computer policies manage terminal access through logon method control and IP address whitelists. Configure these policies to restrict end users to specified terminal types and IP ranges.
The Logon Method Control rule restricts which types of Alibaba Cloud Workspace clients end users can use to connect to their cloud computers.
Example: To enhance enterprise information security, an administrator sets the rule to allow connections only from the Windows client, macOS client.
The CIDR Block Whitelist rule restricts the IP address ranges from which Alibaba Cloud Workspace clients can connect to cloud computers.
Example: To bolster security, an administrator adds the office network's IP address range to an allowlist. This ensures that employees can connect to their cloud computers only from the office, blocking access from other locations.
|
Timeout-triggered automatic logout
When enabled, if an end user is logged on to a specified type of WUYING terminal but not connected to any cloud resources (cloud computers, cloud apps, cloud phones, or enterprise drives), the terminal automatically logs out after the specified timeout. This protects cloud resource data.
|