Delegated administration for CloudSSO

更新时间:
复制 MD 格式

Delegate permission management to department-level administrators by designating a CloudSSO user as a permissions administrator scoped to a specific folder in your resource directory.

Prerequisites

Procedure

This example creates a CloudSSO user named Dept-1-Admin and designates them as the permissions administrator for a folder named Dept-1, with access scoped to member accounts in that folder.

  1. Create a CloudSSO user named Dept-1-Admin and set a logon password.

    Create a user.

  2. Create a permission set named Dept-1-Access.

    Create a permission set.

    Configure only an inline policy. The following examples show two levels of delegated permissions.

    Example 1

    Dept-1-Admin cannot manage (create, modify, or delete) other CloudSSO users but can assign permissions to them for specified member accounts.

    Grants read access to member accounts, CloudSSO users, and permission sets, plus scoped access assignment by RDPath.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "resourcemanager:GetResourceDirectory",
            "resourcemanager:ListParents",
            "resourcemanager:ListChildrenForParent",
            "resourcemanager:ListAncestors",
            "resourcemanager:ListAccountRecordsForParent",
            "resourcemanager:GetFolder",
            "resourcemanager:GetAccount",
            "resourcemanager:ListAuthorizedFolders",
            "resourcemanager:ListAccounts",
            "resourcemanager:ListAccountsForParent",
            "resourcemanager:ListFoldersForParent"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ram:ListPolicies",
            "ram:GetPolicyVersion",
            "ram:ListPolicyVersions",
            "ram:GetPolicy"
          ],
          "Resource": "acs:ram:*:system:policy/*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "cloudsso:Get*",
            "cloudsso:List*",
            "cloudsso:CheckRDFeaturePrerequisite"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "cloudsso:CreateAccessAssignment",
            "cloudsso:DeleteAccessAssignments",
            "cloudsso:DeprovisionAccessConfiguration",
            "cloudsso:ProvisionAccessConfiguration",
            "cloudsso:CreateUserProvisioning",
            "cloudsso:DeleteUserProvisioning",
            "cloudsso:GetUserProvisioningRdAccountStatistics",
            "cloudsso:GetUserProvisioning",
            "cloudsso:UpdateUserProvisioning",
            "cloudsso:GetUserProvisioningStatistics",
            "cloudsso:PreCheckForCreateUserProvisioning",
            "cloudsso:DeleteUserProvisioningEvent",
            "cloudsso:GetUserProvisioningEvent",
            "cloudsso:RetryUserProvisioningEvent",
            "cloudsso:GetTask",
            "cloudsso:GetTaskStatus"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "acs:RDManageScope": [
                "rd-3G****/r-Wm****/fd-Ca2****Q3Y/*"
              ]
            }
          }
        }
      ]
    }

    Example 2

    Dept-1-Admin can manage (create, modify, or delete) other CloudSSO users and assign permissions to them for specified member accounts.

    Grants read access to member accounts, CloudSSO users, and permission sets; write access to manage CloudSSO users; and scoped access assignment by RDPath. Does not include permissions to manage user groups.

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "resourcemanager:GetResourceDirectory",
            "resourcemanager:ListParents",
            "resourcemanager:ListChildrenForParent",
            "resourcemanager:ListAncestors",
            "resourcemanager:ListAccountRecordsForParent",
            "resourcemanager:GetFolder",
            "resourcemanager:GetAccount",
            "resourcemanager:ListAuthorizedFolders",
            "resourcemanager:ListAccounts",
            "resourcemanager:ListAccountsForParent",
            "resourcemanager:ListFoldersForParent"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ram:ListPolicies",
            "ram:GetPolicyVersion",
            "ram:ListPolicyVersions",
            "ram:GetPolicy"
          ],
          "Resource": "acs:ram:*:system:policy/*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "cloudsso:Get*",
            "cloudsso:List*",
            "cloudsso:CheckRDFeaturePrerequisite",
            "cloudsso:CreateUser",
            "cloudsso:UpdateUser",
            "cloudsso:UpdateUserStatus",
            "cloudsso:DeleteUser",
            "cloudsso:ResetUserPassword",
            "cloudsso:DeleteMFADeviceForUser",
            "cloudsso:UpdateUserMFAAuthenticationSettings"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "cloudsso:CreateAccessAssignment",
            "cloudsso:DeleteAccessAssignments",
            "cloudsso:DeprovisionAccessConfiguration",
            "cloudsso:ProvisionAccessConfiguration",
            "cloudsso:CreateUserProvisioning",
            "cloudsso:DeleteUserProvisioning",
            "cloudsso:GetUserProvisioningRdAccountStatistics",
            "cloudsso:GetUserProvisioning",
            "cloudsso:UpdateUserProvisioning",
            "cloudsso:GetUserProvisioningStatistics",
            "cloudsso:PreCheckForCreateUserProvisioning",
            "cloudsso:DeleteUserProvisioningEvent",
            "cloudsso:GetUserProvisioningEvent",
            "cloudsso:RetryUserProvisioningEvent",
            "cloudsso:GetTask",
            "cloudsso:GetTaskStatus"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "acs:RDManageScope": [
                "rd-3G****/r-Wm****/fd-Ca2****Q3Y/*"
              ]
            }
          }
        }
      ]
    }
    Important

    Use the acs:RDManageScope condition key to specify the RDPath of the folder or member account the delegated administrator can manage:

    • rd-******/r-*****/fd-*****/*: all member accounts in the folder.

    • rd-******/r-*****/fd-*****/123******: a specific member account.

    Find RDPath values in View basic folder information and View the information of a member account. In the examples above, rd-3G****/r-Wm****/fd-Ca2****Q3Y is the RDPath of the Dept-1 folder. Replace it with your target folder's RDPath.

  3. Assign permissions in the management account.

    Assign permissions for a member account.

    In the Assign permissions dialog box, go to Select users or groups, select the Users tab, and select Dept-1-Admin.

    Under Select permission sets, select Dept-1-Access.

Verification

  1. Log on to the CloudSSO user portal as Dept-1-Admin.

    Log on to the CloudSSO user portal and access Alibaba Cloud resources.

    In the CloudSSO user portal, click the Log on with RAM role tab. Verify that the management account is listed with the Dept-1-Access permission set active. Click Log on to access the account as a RAM role.

  2. Try to assign permissions to a member account in the Dept-1 folder.

    Delegation is successful if you can assign permissions to member accounts in the Dept-1 folder but not to accounts in other folders.

    Note

    The delegated administrator can view the entire resource directory tree but can assign permissions only to member accounts within their authorized folder.

    On the Multi-account permission management page, select DP1-user1 and click Assign permissions.