The Resource Directory service allows you to manage the relationships among a number of accounts and resources.
Scenarios
Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your enterprise into this structure to form a hierarchy for the resources of your enterprise. This way, you can manage your accounts and resources in a centralized manner. Resource Directory can meet your management requirements in aspects such as network deployment, settlement, user permissions, security compliance, and log auditing. The following descriptions provide the use scenarios of Resource Directory:
Business environment-based creation of organizational structures
If your enterprise has various branches, departments, or projects, you can use Resource Directory to build an organizational structure in the cloud based on your business environment.
Centralized management of all Alibaba Cloud accounts and resources
If your enterprise has multiple Alibaba Cloud accounts, you can enable a resource directory and add the accounts to the resource directory. This way, you can manage the accounts and the resources within the accounts in a centralized manner.
Centralized management of bills and invoices
You can create a member in your resource directory and use the member for the settlement of all bills and invoices.
Implementation of permission and compliance requirements
You can configure different resource access rules for different accounts and directory structures by using the policies of Resource Access Management (RAM) and the access control policies of Resource Directory. This enables the authorization and management channel between personnel and resources and ensures the security of the resources.
Integration with a variety of enterprise-level Alibaba Cloud applications
Resource Directory is integrated with the Alibaba Cloud finance, compliance auditing, cloud security, and network platforms. This way, you can use the same organizational structure to manage all your enterprise accounts and resources.
Terms
Term | Description |
management account | A management account is an Alibaba Cloud account that has passed enterprise verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account. To ensure the security of a management account, we recommend that you perform the following operations:
Note A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory. |
Root folder | The Root folder is the parent folder of all the other folders in a resource directory. These folders are organized in a hierarchy that starts from the Root folder. |
folder | A folder is an organizational unit in a resource directory. A folder may indicate a branch, line of business, or project of an enterprise. Each folder can contain members and subfolders, which forms a tree-shaped organizational structure. |
member | A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.
|
RDPath | An RDPath indicates the location of a resource entity (folder or member) in a resource directory. The RDPath of a resource entity consists of the ID of the resource entity, IDs of all the parent folders of the resource entity, and ID of the resource directory to which the resource entity belongs. An RDPath is in one of the following formats:
For more information about how to view the RDPath of a folder or member, see View the basic information of a folder or View the detailed information of a member. |
access control policy | An access control policy enables you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner. Access control policies are implemented based on the resource directory. You can use access control policies to develop common or dedicated rules for access control. Access control policies do not grant permissions but only define permission boundaries. Before you use an account that is a member of your resource directory to access resources, you must grant the required permissions to the account by using the RAM service. For more information about access control policies, see Overview. |
trusted service | A trusted service refers to an Alibaba Cloud service that is integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config. For more information about trusted services, see Overview. |
delegated administrator account | The management account of a resource directory can be used to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements. For information about how to add or remove a delegated administrator account, see Manage a delegated administrator account. |
Procedure
Log on to the Resource Management console by using an account that can be used as a management account.
Enable a resource directory.
For more information, see Enable a resource directory.
Create folders to build an organizational structure for your enterprise.
For more information, see Create a folder.
Create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory. Then, move all members to the folders that you created based on your business requirements.
For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.
Limits
Item | Upper limit | Adjustable | Remarks |
Number of resource directories that you can create by using an Alibaba Cloud account | 1 | N/A | The members of a resource directory cannot be used to create resource directories. |
Number of Root folders in a resource directory | 1 | N/A | None. |
Number of folders in a resource directory | 100 | The Root folder is not included. | |
Number of folder levels | 5 | N/A | The Root folder is not included. |
Number of members in a resource directory | 20 | None. | |
Number of valid invitations per day | 20 | Accepted invitations are not included. | |
Validity period of an invitation | 14 days | N/A | None. |
Number of verification codes that can be sent per day when you bind a mobile phone number to a member for security purposes | 100 | N/A | None. |
Number of custom access control policies that can be created in a resource directory | 1,500 | N/A | None. |
Number of custom access control policies that can be attached to each folder or member | 10 | None. | |
Number of characters that each custom access control policy can contain | 4,096 | N/A | None. |
Number of members that can be deleted every 30 calendar days | A period of 30 calendar days starts from the time when the first member deletion task is initiated. The following descriptions provide the upper limits for the number of members that can be deleted in each period:
| N/A | None. |
Number of contacts in a resource directory | 10 | None. |