All Products
Search
Document Center

:Resource Directory overview

Last Updated:Sep 27, 2024

The Resource Directory service allows you to manage the relationships among a number of accounts and resources.

Scenarios

Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your enterprise into this structure to form a hierarchy for the resources of your enterprise. This way, you can manage your accounts and resources in a centralized manner. Resource Directory can meet your management requirements in aspects such as network deployment, settlement, user permissions, security compliance, and log auditing. The following descriptions provide the use scenarios of Resource Directory:

  • Business environment-based creation of organizational structures

    If your enterprise has various branches, departments, or projects, you can use Resource Directory to build an organizational structure in the cloud based on your business environment.

  • Centralized management of all Alibaba Cloud accounts and resources

    If your enterprise has multiple Alibaba Cloud accounts, you can enable a resource directory and add the accounts to the resource directory. This way, you can manage the accounts and the resources within the accounts in a centralized manner.

  • Centralized management of bills and invoices

    You can create a member in your resource directory and use the member for the settlement of all bills and invoices.

  • Implementation of permission and compliance requirements

    You can configure different resource access rules for different accounts and directory structures by using the policies of Resource Access Management (RAM) and the access control policies of Resource Directory. This enables the authorization and management channel between personnel and resources and ensures the security of the resources.

  • Integration with a variety of enterprise-level Alibaba Cloud applications

    Resource Directory is integrated with the Alibaba Cloud finance, compliance auditing, cloud security, and network platforms. This way, you can use the same organizational structure to manage all your enterprise accounts and resources.

Terms

资源管理

Term

Description

management account

A management account is an Alibaba Cloud account that has passed enterprise verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.

To ensure the security of a management account, we recommend that you perform the following operations:

  • Use an Alibaba Cloud account that has no resources as a management account to enable a resource directory.

  • Create a RAM user for the management account and attach the AliyunResourceDirectoryFullAccess policy to the RAM user. Then, use the RAM user to manage the resource directory.

Note

A management account does not belong to a resource directory and is not limited by the access control policies of a resource directory.

Root folder

The Root folder is the parent folder of all the other folders in a resource directory. These folders are organized in a hierarchy that starts from the Root folder.

folder

A folder is an organizational unit in a resource directory. A folder may indicate a branch, line of business, or project of an enterprise. Each folder can contain members and subfolders, which forms a tree-shaped organizational structure.

member

A member can be a resource account or cloud account. Members that are created in a resource directory are resource accounts. A resource account is used to isolate the resources of a project or application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.

  • Resource account

    A member that is created in a resource directory is a resource account. A root user of an Alibaba Cloud account is the administrator of the account. The root users of resource accounts are disabled. Therefore, resource accounts provide higher security. For more information about how to create a resource account, see Create a member.

  • Cloud account

    A member that is invited to join a resource directory is a cloud account. Cloud accounts have root users. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an Alibaba Cloud account to join a resource directory.

RDPath

An RDPath indicates the location of a resource entity (folder or member) in a resource directory. The RDPath of a resource entity consists of the ID of the resource entity, IDs of all the parent folders of the resource entity, and ID of the resource directory to which the resource entity belongs. An RDPath is in one of the following formats:

  • RDPath of a folder: <ID of the resource directory to which the folder belongs>/<ID of the Root folder in the resource directory>/.../<ID of the folder>.

  • RDPath of a member: <ID of the resource directory to which the member belongs>/<ID of the Root folder in the resource directory>/.../<ID of the member>. For example, the RDPath of the member 181761095690**** is rd-r4****/r-oG****/fd-RIErN0****/fd-XVxh6D****/181761095690****.

For more information about how to view the RDPath of a folder or member, see View the basic information of a folder or View the detailed information of a member.

access control policy

An access control policy enables you to manage the permission boundaries of the folders or members in a resource directory in a centralized manner. Access control policies are implemented based on the resource directory. You can use access control policies to develop common or dedicated rules for access control. Access control policies do not grant permissions but only define permission boundaries. Before you use an account that is a member of your resource directory to access resources, you must grant the required permissions to the account by using the RAM service.

For more information about access control policies, see Overview.

trusted service

A trusted service refers to an Alibaba Cloud service that is integrated with the Resource Directory service. After an Alibaba Cloud service is integrated with Resource Directory, the service can access the information of the related resource directory, such as the members and folders in the resource directory. You can use the management account of your resource directory or a delegated administrator account of a trusted service to manage your business in the trusted service based on your resource directory. This simplifies the unified management of cloud services activated by your enterprise. For example, after Cloud Config is integrated with Resource Directory, you can use the management account of your resource directory to view related information in Cloud Config. The information includes the resources of all members in the resource directory, as well as the configuration history and compliance statuses of the resources. You can also monitor the compliance of resource configurations in Cloud Config.

For more information about trusted services, see Overview.

delegated administrator account

The management account of a resource directory can be used to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory. Delegated administrator accounts allow you to separate organization management tasks from business management tasks. The management account of a resource directory is used to perform the organization management tasks of the resource directory. Delegated administrator accounts are used to perform the business management tasks of the related trusted services. This meets security-related requirements.

For information about how to add or remove a delegated administrator account, see Manage a delegated administrator account.

Procedure

  1. Log on to the Resource Management console by using an account that can be used as a management account.

  2. Enable a resource directory.

    For more information, see Enable a resource directory.

  3. Create folders to build an organizational structure for your enterprise.

    For more information, see Create a folder.

  4. Create members in the resource directory or invite existing Alibaba Cloud accounts to join the resource directory. Then, move all members to the folders that you created based on your business requirements.

    For more information, see Create a member, Invite an Alibaba Cloud account to join a resource directory, and Move a member.

Limits

Item

Upper limit

Adjustable

Remarks

Number of resource directories that you can create by using an Alibaba Cloud account

1

N/A

The members of a resource directory cannot be used to create resource directories.

Number of Root folders in a resource directory

1

N/A

None.

Number of folders in a resource directory

100

Apply for a quota.

The Root folder is not included.

Number of folder levels

5

N/A

The Root folder is not included.

Number of members in a resource directory

20

Apply for a quota.

None.

Number of valid invitations per day

20

Apply for a quota.

Accepted invitations are not included.

Validity period of an invitation

14 days

N/A

None.

Number of verification codes that can be sent per day when you bind a mobile phone number to a member for security purposes

100

N/A

None.

Number of custom access control policies that can be created in a resource directory

1,500

N/A

None.

Number of custom access control policies that can be attached to each folder or member

10

Apply for a quota.

None.

Number of characters that each custom access control policy can contain

4,096

N/A

None.

Number of members that can be deleted every 30 calendar days

A period of 30 calendar days starts from the time when the first member deletion task is initiated. The following descriptions provide the upper limits for the number of members that can be deleted in each period:

  • If the Number of members < 100 condition is met, up to 10 members can be deleted.

  • If the 100 ≤ Number of members ≤ 10,000 condition is met, up to 10% of members can be deleted.

  • If the Number of members > 10,000 condition is met, up to 1,000 members can be deleted.

N/A

None.

Number of contacts in a resource directory

10

Apply for a quota.

None.