All Products
Search
Document Center

Data Security Center:Use the multi-account management feature

Last Updated:Dec 16, 2024

Data Security Center (DSC) provides the multi-account management feature. You can use the feature to manage the data assets, data objects, and audit logs of multiple Alibaba Cloud accounts in a centralized manner. This way, you can perform data security management tasks, such as automatic identification of sensitive data, data classification, and monitoring and alerting of potential security threats, in an efficient manner. This topic describes how to use the multi-account management feature.

Terms

Before you use DSC to manage data assets of multiple Alibaba Cloud accounts in a centralized manner, you must understand the following terms.

Term

Description

Service

management account

A management account is an Alibaba Cloud account that has passed enterprise real-name verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.

To ensure the security of a management account, we recommend that you perform the following operations:

  • Use an Alibaba Cloud account that has no resources as a management account to enable a resource directory.

  • Create a Resource Access Management (RAM) user for the management account and attach the AliyunResourceDirectoryFullAccess policy to the RAM user. Then, use the RAM user to manage the resource directory.

Note

A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory.

Resource Management

Root folder

The Root folder is the parent folder of all the other folders in a resource directory. These folders are organized in a hierarchy that starts from the Root folder.

folder

A folder is an organizational unit in a resource directory. A folder may indicate a branch, line of business, or project of an enterprise. Each folder can contain members and subfolders, which forms a tree-shaped organizational structure.

member

A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

delegated administrator account

The management account of a resource directory can be used to specify a member in the resource directory as the delegated administrator account of a trusted service, such as DSC. After a member is specified as the delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.

member of DSC

A delegated administrator account can configure a member in a resource directory as a member in DSC. Then, the delegated administrator account can access the cloud resources of the members in DSC.

DSC

Limits

Only the paid editions of DSC support the multi-account management feature.

Example

You can refer to the following process to build a multi-account system and use the delegated administrator account of DSC to manage data assets of multiple Alibaba Cloud accounts.

Scenario: Alibaba Cloud Accounts A, B, C, D, and E belong to the same resource directory. Alibaba Cloud Account A is the management account of the resource directory, and the other accounts are the members of the resource directory. Alibaba Cloud Account A specifies Alibaba Cloud Account B as the delegated administrator account of DSC. Alibaba Cloud Account B can manage the data assets of Alibaba Cloud Accounts B, C, D, and E in a centralized manner and use features of DSC, such as sensitive data protection, baseline check, data auditing, and data masking. You can use a RAM user of Alibaba Cloud Account B to manage the data assets of only authorized Alibaba Cloud Accounts D and E in DSC.

image

Usage notes

Category

Description

Multi-account verification

The Alibaba Cloud account that uses the multi-account management feature and the managed Alibaba Cloud accounts must be within the same resource directory and belong to the same enterprise entity. The enterprise entity must pass enterprise real-name verification.

DSC purchase

  • Purchase DSC by using a member specified as the delegated administrator account.

    You must use the management account to specify the member as the delegated administrator account of the trusted service DSC. Then, you can use the delegated administrator account to add the Alibaba Cloud accounts that you want to manage as members of DSC in the DSC console. Make sure that the Alibaba Cloud accounts that you want to manage have not purchased DCS. This delegated administrator account can manage the data assets of the members in a centralized manner.

    For more information, see Step 1: Configure the delegated administrator account of DSC and Step 2: Add members in DSC.

  • A member that has purchased DSC cannot be added as a member of DSC. Alibaba Cloud accounts that are added as members of DSC cannot purchase or use DSC.

Member management by level

A delegated administrator account can manage all members in a centralized manner and create RAM users to configure fine-grained permissions. A delegated administrator account can use RAM users to manage members by level based on the resource directory path of a folder in a resource directory.

For more information, see Authorize a RAM user to manage a member.

Feature usage

  • Data assets that are added to the members of DSC do not support the traffic collection (agent) mode.

  • AnalyticDB for PostgreSQL assets of members in DSC do not support the features provided by DSC.

Member fees

When the data identification and security audit features are enabled for assets of a member, the member pays the fees for reading data and storing audit logs in specific database services. For more information, see Additional fees for database assets connected to DSC.

Prerequisites

  • A resource directory is enabled. For more information, see Enable a resource directory.

  • A member is created in the resource directory, or an existing Alibaba Cloud account is invited to join the resource directory. For more information, see Create a member and Invite an Alibaba Cloud account to join a resource directory.

    If you want to use RAM users to manage members by resource folder, you must first create a resource folder and then create Alibaba Cloud accounts in the resource folder or invite Alibaba Cloud accounts to join the resource folder. For more information, see Create a folder.

  • A delegated administrator account has purchased a paid edition of DSC. For more information, see Purchase DSC.

Step 1: Configure the delegated administrator account of DSC

The management account of a resource directory can be used to specify a member in the resource directory as the delegated administrator account of a trusted service. After a member is specified as the delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.

  1. Log on to the Resource Management console by using the management account of the resource directory.

  2. In the left-side navigation pane, choose Resource Directory > Trusted Services.

  3. On the Trusted Services page, find Data Security Center (DSC) and click Manage in the Actions column.

  4. In the Delegated Administrator Accounts section of the page that appears, click Add.

  5. In the Delegated Administrator Accounts section, click Add. In the Add Delegated Administrator Account panel, specify the Alibaba Cloud account that is used to purchase DSC as the delegated administrator account and click OK.

    After the delegated administrator account is specified, you can use the multi-account management feature of DSC by using the delegated administrator account.

Step 2: Add members in DSC

Authorize a RAM user to manage specific members

Note

If you use the delegated administrator account to add members to DSC, skip this step.

  1. Log on to the RAM console by using the delegated administrator account and create a RAM user. For more information, see Create a RAM user.

  2. Create a custom policy to authorize the RAM user to manage specific members.

    1. In the left-side navigation pane of the RAM console, choose Permissions > Policies.

    2. On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab.

    3. Enter the content of your custom policy and click Next to edit policy information.

      Copy the following policy content and configure the Condition element. The RAM user can add (yundun-sddp:AddMultiAccountMembers) or remove (yundun-sddp:DeleteMultiAccountMembers) a member on the Multi-account Management page in the DSC console.

      For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

      Authorize a RAM user to manage a specific member

      Set the acs:RDManageScope parameter of StringNotEquals in Condition to the resource directory path (RDPath) of the required folder in the resource directory on the Resource Directory page plus the UID of the member.

      image

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Deny",
                  "Action": [
                      "yundun-sddp:AddMultiAccountMembers",
                      "yundun-sddp:DeleteMultiAccountMembers"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "StringNotEquals": {
                          "acs:RDManageScope": [
                              "rd-BXXXXs/r-cXXXX6/163XXXXXX1494597"
                          ]
                      }
                  }
              }
          ]
      }

      Authorize a RAM user to manage the members of a specific folder

      Set the acs:RDManageScope parameter of StringNotLike in Condition to the resource directory path (RDPath) of the required folder in the resource directory on the Resource Directory page plus /*.

      image

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Deny",
                  "Action": [
                      "yundun-sddp:AddMultiAccountMembers",
                      "yundun-sddp:DeleteMultiAccountMembers"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "StringNotLike": {
                          "acs:RDManageScope": [
                              "rd-BXXXXs/r-cXXXX6/fd-BrXXXXXXM4/*"
                          ]
                      }
                  }
              }
          ]
      }
    4. Specify the Name and Description fields.

    5. Click OK.

    6. Click Grant Permission.

    7. On the Grant Permission page, search for and select the RAM user, select the custom policy that you created for the RAM user, and then click Grant permissions. Then, click Close.

Add members

  1. Log on to the DSC console by using the delegated administrator account or a RAM user authorized by the delegated administrator account.

  2. In the left-side navigation pane, click Multi-account Management.

  3. The first time you use the multi-account management feature, click Enable Multi-account Management.

    This operation updates the status of the trusted service DSC to Enabled.

  4. Click Add Member.

  5. In the Add Member dialog box, select the members that you want to manage and click OK.

    If the members are outside the policy scope of the RAM user, the system returns a no permission message.

Step 3: Manage assets of members

The delegated administrator account or a RAM user authorized by the delegated administrator account can manage the data assets of the account and the members of the account after the members are added in the DSC console. The following section describes how to manage the assets of members on the Asset Authorization page.

Note

You cannot manage assets by using UIDs on specific pages, such as the Overview page. The information in the DSC console prevails.

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Asset Center.

  3. On the Authorization Management tab, manage assets within the Alibaba Cloud account by using UIDs.

    image

Remove a member in DSC

If you no longer need to manage all assets of a member, you can remove the member. After you remove a member, all data of the member in the DSC console is automatically deleted.

  1. Log on to the DSC console.

  2. In the left-side navigation pane, click Asset Center.

  3. Revoke the permissions from the member that you want to remove. For more information, see Revoke the permissions from an asset.

  4. In the left-side navigation pane, choose System Settings > Multi-account Management.

  5. On the Multi-account Management page, find the member that you want to remove and click Delete in the Actions column.

    If you use a RAM user authorized by the delegated administrator account to remove members that are outside the policy scope of the RAM user, the system responds with a no permission message.

  6. In the Delete message, click Delete.

FAQ

If DSC is purchased for multiple Alibaba Cloud accounts within my enterprise, how do I use one account for centralized management?

You cannot manage a member that has purchased DSC by using a different account. If you want to manage the resources of the member from a different account, you must unsubscribe from DSC for the member and use the management account or the delegated administrator account to add the member as a member of DSC.

For more information, see Refund policy.

What do I do if DSC cannot be activated for the current account?

If you receive a message indicating that the current account cannot be used to activate DSC when you access the DSC console, you cannot use the account to use DSC because the management account or the delegated administrator account has added this account as a member to DSC. In this case, you can use one of the following methods to use DSC:

  • Method 1: Log on to the DSC console by using the management account or the delegated administrator account of the resource directory and use the multi-account management feature to add resources of the current account to DSC.

  • Method 2: Contact the management account or the delegated administrator account of the resource directory to delete the current account on the Multi-account Management page of the DSC console. Then, use your current account to purchase and use DSC.

References