This topic describes how to use CloudSSO and Resource Directory to manage the identities and permissions of multiple accounts of an enterprise in a centralized manner.
Scenarios
CloudSSO is integrated with Alibaba Cloud Resource Directory to provide centralized multi-account identity management and access control. A CloudSSO administrator can create multiple CloudSSO users and grant access permissions on a member in a resource directory to CloudSSO users in a centralized manner. CloudSSO provides a unified user portal. After a CloudSSO user logs on to the user portal, the CloudSSO user can view all members that the CloudSSO user can access in a resource directory and the access permissions on each member that are granted to the CloudSSO user. The CloudSSO user can access resources within a member based on the permissions.
This topic provides an example on how to grant access permissions on the members in a resource directory to a CloudSSO user. In this example, the management account of a resource directory is used to create a CloudSSO user named user1, and an access configuration is provisioned for the member Sandbox Account in a resource directory. The access configuration defines the access permissions only on virtual private cloud (VPC) resources. After the provisioning, user1 can access only VPC resources within Sandbox Account.
Prerequisites
A resource directory is enabled, and the required Alibaba Cloud accounts are added to the resource directory.
For more information, see Resource Directory overview and Enable a resource directory.
CloudSSO is activated, and a CloudSSO directory is created.
For more information, see What is CloudSSO?, Enable CloudSSO, and Create the CloudSSO directory.
A RAM user to which the AliyunCloudSSOFullAccess policy is attached within the management account of the resource directory is prepared. You can perform the operations that are described in this topic by using only the management account of the resource directory or the RAM user.
Procedure
Log on to the CloudSSO console.
Create a CloudSSO user.
In this example, a CloudSSO user named user1 is created.
For more information, see Create a user.
Enable username-password logon for the CloudSSO user.
For more information, see Enable username-password logon.
Create an access configuration.
In this example, the access configuration includes the AliyunVPCFullAccess system policy and no inline policies.
For more information, see Overview and Create an access configuration.
Authorize the CloudSSO user to access resources within a member in the resource directory.
In this example, user1 is authorized to access the VPC resources within the member Sandbox Account in the resource directory.
For more information, see Assign access permissions on the accounts in a resource directory.
Access the resources within the member in the resource directory as the CloudSSO user.
Log on to the CloudSSO user portal by using the username and password of the CloudSSO user. In this example, the username and password of user1 are used.
Select the member Sandbox Account.
Access the VPC resources within Sandbox Account as a RAM role.
For more information, see Log on to the CloudSSO user portal and access Alibaba Cloud resources.
What to do next
You can refer to the preceding steps to create multiple CloudSSO users and access configurations and grant the CloudSSO users access permissions on multiple members in a resource directory. This way, you can manage the identities and permissions of multiple Alibaba Cloud accounts in a centralized manner. You can also synchronize users from an identity provider (IdP) and access resources within a member in a resource directory by using single sign-on (SSO). For more information, see What is CloudSSO?