Data Security Center (DSC) provides the multi-account management feature. You can use the feature to manage the data assets, data objects, and audit logs of multiple Alibaba Cloud accounts in a centralized manner. This way, you can perform data security management tasks, such as automatic identification of sensitive data, data classification, and monitoring and alerting of potential security threats, in an efficient manner. This topic describes how to use the multi-account management feature.
Terms
Before you use DSC to manage data assets of multiple Alibaba Cloud accounts in a centralized manner, you must understand the following terms.
Term | Description | Service |
management account | A management account is an Alibaba Cloud account that has passed enterprise real-name verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account. To ensure the security of a management account, we recommend that you perform the following operations:
Note A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory. | Resource Management |
Root folder | The Root folder is the parent folder of all the other folders in a resource directory. These folders are organized in a hierarchy that starts from the Root folder. | |
folder | A folder is an organizational unit in a resource directory. A folder may indicate a branch, line of business, or project of an enterprise. Each folder can contain members and subfolders, which forms a tree-shaped organizational structure. | |
member | A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts. | |
delegated administrator account | The management account of a resource directory can be used to specify a member in the resource directory as the delegated administrator account of a trusted service, such as DSC. After a member is specified as the delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. | |
member of DSC | A delegated administrator account can configure a member in a resource directory as a member in DSC. Then, the delegated administrator account can access the cloud resources of the members in DSC. | DSC |
Limits
Only the paid editions of DSC support the multi-account management feature.
Example
You can refer to the following process to build a multi-account system and use the delegated administrator account of DSC to manage data assets of multiple Alibaba Cloud accounts.
Scenario: Alibaba Cloud Accounts A, B, C, D, and E belong to the same resource directory. Alibaba Cloud Account A is the management account of the resource directory, and the other accounts are the members of the resource directory. Alibaba Cloud Account A specifies Alibaba Cloud Account B as the delegated administrator account of DSC. Alibaba Cloud Account B can manage the data assets of Alibaba Cloud Accounts B, C, D, and E in a centralized manner and use features of DSC, such as sensitive data protection, baseline check, data auditing, and data masking. You can use a RAM user of Alibaba Cloud Account B to manage the data assets of only authorized Alibaba Cloud Accounts D and E in DSC.
Usage notes
Category | Description |
Multi-account verification | The Alibaba Cloud account that uses the multi-account management feature and the managed Alibaba Cloud accounts must be within the same resource directory and belong to the same enterprise entity. The enterprise entity must pass enterprise real-name verification. |
DSC purchase |
|
Member management by level | A delegated administrator account can manage all members in a centralized manner and create RAM users to configure fine-grained permissions. A delegated administrator account can use RAM users to manage members by level based on the resource directory path of a folder in a resource directory. For more information, see Authorize a RAM user to manage a member. |
Feature usage |
|
Member fees | When the data identification and security audit features are enabled for assets of a member, the member pays the fees for reading data and storing audit logs in specific database services. For more information, see Additional fees for database assets connected to DSC. |
Prerequisites
A resource directory is enabled. For more information, see Enable a resource directory.
A member is created in the resource directory, or an existing Alibaba Cloud account is invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.
If you want to use RAM users to manage members by resource folder, you must first create a resource folder and then create Alibaba Cloud accounts in the resource folder or invite Alibaba Cloud accounts to join the resource folder. For more information, see Create a folder.
A delegated administrator account has purchased a paid edition of DSC. For more information, see Purchase DSC.
Step 1: Configure the delegated administrator account of DSC
The management account of a resource directory can be used to specify a member in the resource directory as the delegated administrator account of a trusted service. After a member is specified as the delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.
Log on to the Resource Management console by using the management account of the resource directory.
In the left-side navigation pane, choose .
On the Trusted Services page, find Data Security Center (DSC) and click Manage in the Actions column.
In the Delegated Administrator Accounts section of the page that appears, click Add.
In the Delegated Administrator Accounts section, click Add. In the Add Delegated Administrator Account panel, specify the Alibaba Cloud account that is used to purchase DSC as the delegated administrator account and click OK.
After the delegated administrator account is specified, you can use the multi-account management feature of DSC by using the delegated administrator account.
Step 2: Add members in DSC
Authorize a RAM user to manage specific members
If you use the delegated administrator account to add members to DSC, skip this step.
Log on to the RAM console by using the delegated administrator account and create a RAM user. For more information, see Create a RAM user.
Create a custom policy to authorize the RAM user to manage specific members.
In the left-side navigation pane of the RAM console, choose .
On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab.
Enter the content of your custom policy and click Next to edit policy information.
Copy the following policy content and configure the
Conditionelement. The RAM user can add (yundun-sddp:AddMultiAccountMembers) or remove (yundun-sddp:DeleteMultiAccountMembers) a member on the Multi-account Management page in the DSC console.For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Authorize a RAM user to manage a specific member
Set the
acs:RDManageScopeparameter ofStringNotEqualsinConditionto the resource directory path (RDPath) of the required folder in the resource directory on the Resource Directory page plus the UID of the member.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "yundun-sddp:AddMultiAccountMembers", "yundun-sddp:DeleteMultiAccountMembers" ], "Resource": "*", "Condition": { "StringNotEquals": { "acs:RDManageScope": [ "rd-BXXXXs/r-cXXXX6/163XXXXXX1494597" ] } } } ] }Authorize a RAM user to manage the members of a specific folder
Set the
acs:RDManageScopeparameter ofStringNotLikeinConditionto the resource directory path (RDPath) of the required folder in the resource directory on the Resource Directory page plus/*.
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "yundun-sddp:AddMultiAccountMembers", "yundun-sddp:DeleteMultiAccountMembers" ], "Resource": "*", "Condition": { "StringNotLike": { "acs:RDManageScope": [ "rd-BXXXXs/r-cXXXX6/fd-BrXXXXXXM4/*" ] } } } ] }Specify the Name and Description fields.
Click OK.
Click Grant Permission.
On the Grant Permission page, search for and select the RAM user, select the custom policy that you created for the RAM user, and then click Grant permissions. Then, click Close.
Add members
Log on to the DSC console by using the delegated administrator account or a RAM user authorized by the delegated administrator account.
In the left-side navigation pane, click Multi-account Management.
The first time you use the multi-account management feature, click Enable Multi-account Management.
This operation updates the status of the trusted service DSC to Enabled.
Click Add Member.
In the Add Member dialog box, select the members that you want to manage and click OK.
If the members are outside the policy scope of the RAM user, the system returns a no permission message.
Step 3: Manage assets of members
The delegated administrator account or a RAM user authorized by the delegated administrator account can manage the data assets of the account and the members of the account after the members are added in the DSC console. The following section describes how to manage the assets of members on the Asset Authorization page.
You cannot manage assets by using UIDs on specific pages, such as the Workbench page. The information in the DSC console prevails.
Log on to the DSC console.
In the left-side navigation pane, choose .
On the Authorization Management tab, manage assets within the Alibaba Cloud account by using UIDs.
Remove a member in DSC
If you no longer need to manage all assets of a member, you can remove the member. After you remove a member, all data of the member in the DSC console is automatically deleted.
Log on to the DSC console.
In the left-side navigation pane, choose .
Revoke the permissions from the member that you want to remove. For more information, see Revoke the permissions from an asset.
In the left-side navigation pane, click Multi-account Management.
On the Multi-account Management page, find the member that you want to remove and click Delete in the Actions column.
If you use a RAM user authorized by the delegated administrator account to remove members that are outside the policy scope of the RAM user, the system responds with a no permission message.
In the Delete message, click Delete.
FAQ
If DSC is purchased for multiple Alibaba Cloud accounts within my enterprise, how do I use one account for centralized management?
You cannot manage a member that has purchased DSC by using a different account. If you want to manage the resources of the member from a different account, you must unsubscribe from DSC for the member and use the management account or the delegated administrator account to add the member as a member of DSC.
For more information, see Refund policy.
What do I do if DSC cannot be activated for the current account?
If you receive a message indicating that the current account cannot be used to activate DSC when you access the DSC console, you cannot use the account to use DSC because the management account or the delegated administrator account has added this account as a member to DSC. In this case, you can use one of the following methods to use DSC:
Method 1: Log on to the DSC console by using the management account or the delegated administrator account of the resource directory and use the multi-account management feature to add resources of the current account to DSC.
Method 2: Contact the management account or the delegated administrator account of the resource directory to delete the current account on the Multi-account Management page of the DSC console. Then, use your current account to purchase and use DSC.