After you log on to the Resource Management console as the root user of the management account of your resource directory, you may be unable to perform the following operations on the Resource Directory page: log on to the Alibaba Cloud Management Console by using a member, delete a member, switch the type of a member, and bind a mobile phone number to a member for security purposes. This topic describes the causes and solutions for the issues.
Problem description
After you log on to the Resource Management console as the root user of the management account of your resource directory, the Logon Account, Delete, Switch to Cloud Account, Switch to Resource Account, and Bind Mobile Phone Number buttons in the Actions column are dimmed, as shown in the following figure.
Causes
In the best practices of Alibaba Cloud, the principle of least privilege is implemented to ensure security. A root user is an Alibaba Cloud account identity. By default, a root user has all administrative permissions on resources within the related Alibaba Cloud account. Using the root user of an account to perform operations may cause extremely high security risks and does not conform to security requirements. In a resource directory, only cloud accounts have root users. To ensure security, we recommend that you disable root users for all cloud accounts in your resource directory and use RAM users to perform related operations. You can grant permissions to RAM users based on your business requirements.
Only RAM users with required permissions can be used to perform key operations in a resource directory due to the following reasons:
RAM users can be granted permissions based on the principle of least privilege.
Security risks caused by misuse of the root user of an account can be prevented.
The operations performed by using RAM users can be recorded by the system, which facilitates auditing and tracking.
Solutions
You can create a RAM user for the management account of your resource directory, grant required permissions to the RAM user, and use the RAM user to perform operations.
Use the root user of the management account to create a RAM user.
Use the root user of the management account to log on to the RAM console. In the left-side navigation pane, choose . On the Users page, click Create User. To ensure account security, we recommend that you select one of Console Access and OpenAPI Access for Access Mode based on your business requirements. This helps separate RAM users for individuals from RAM users for programs. For more information, see Create a RAM user.
Use the root user of the management account to grant permissions to the RAM user.
On the Users page, find the RAM user and click Add Permissions in the Actions column. In the Grant Permission panel, attach the required policy to the RAM user. For more information, see Grant permissions to a RAM user.
The following table lists the policies that are required in different scenarios.
Scenario
Policy
Unable to log on to the Alibaba Cloud Management Console by using a member
AliyunResourceDirectoryFullAccess, or custom policy that contains the minimum required operation permissions
AliyunSTSAssumeRoleAccess
Unable to delete a member
AliyunResourceDirectoryFullAccess, or custom policy that contains the minimum required operation permissions
NoteIf the member deletion feature is disabled, the Delete button is also dimmed. Therefore, you need to enable the member deletion feature. For more information, see Enable the member deletion feature.
Unable to switch the type of a member
AliyunResourceDirectoryFullAccess, or custom policy that contains the minimum required operation permissions
Unable to bind a mobile phone number to a member for security purposes
AliyunResourceDirectoryFullAccess, or custom policy that contains the minimum required operation permissions
NoteThe AliyunResourceDirectoryFullAccess policy defines the highest permissions on resource directories. If you want to perform only specific operations as the RAM user, we recommend that you grant the RAM user only the permissions that are required to perform the operations. For information about the permissions, see Resource Directory.
Log on to the Alibaba Cloud Management Console as the RAM user.
Log on to the Alibaba Cloud Management Console as the RAM user and enter the username and password of the RAM user. Then, log on to the Resource Management console and perform operations based on your business requirements.