Delegated administration for CloudSSO
Delegate permission management to department-level administrators by designating a CloudSSO user as a permissions administrator scoped to a specific folder in your resource directory.
Prerequisites
-
A resource directory is enabled with a multi-account structure for your enterprise.
Enable a resource directory, Create a folder, Create a member account, and Invite an Alibaba Cloud account to join a resource directory.
-
CloudSSO is enabled with a directory created.
-
You are logged in as a CloudSSO administrator.
A CloudSSO administrator is the management account that enabled CloudSSO, or a RAM user in that account with AliyunCloudSSOFullAccess permission.
Procedure
This example creates a CloudSSO user named Dept-1-Admin and designates them as the permissions administrator for a folder named Dept-1, with access scoped to member accounts in that folder.
-
Create a CloudSSO user named
Dept-1-Adminand set a logon password. -
Create a permission set named
Dept-1-Access.Configure only an inline policy. The following examples show two levels of delegated permissions.
Example 1
Dept-1-Admincannot manage (create, modify, or delete) other CloudSSO users but can assign permissions to them for specified member accounts.Grants read access to member accounts, CloudSSO users, and permission sets, plus scoped access assignment by RDPath.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListParents", "resourcemanager:ListChildrenForParent", "resourcemanager:ListAncestors", "resourcemanager:ListAccountRecordsForParent", "resourcemanager:GetFolder", "resourcemanager:GetAccount", "resourcemanager:ListAuthorizedFolders", "resourcemanager:ListAccounts", "resourcemanager:ListAccountsForParent", "resourcemanager:ListFoldersForParent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ram:ListPolicies", "ram:GetPolicyVersion", "ram:ListPolicyVersions", "ram:GetPolicy" ], "Resource": "acs:ram:*:system:policy/*" }, { "Effect": "Allow", "Action": [ "cloudsso:Get*", "cloudsso:List*", "cloudsso:CheckRDFeaturePrerequisite" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudsso:CreateAccessAssignment", "cloudsso:DeleteAccessAssignments", "cloudsso:DeprovisionAccessConfiguration", "cloudsso:ProvisionAccessConfiguration", "cloudsso:CreateUserProvisioning", "cloudsso:DeleteUserProvisioning", "cloudsso:GetUserProvisioningRdAccountStatistics", "cloudsso:GetUserProvisioning", "cloudsso:UpdateUserProvisioning", "cloudsso:GetUserProvisioningStatistics", "cloudsso:PreCheckForCreateUserProvisioning", "cloudsso:DeleteUserProvisioningEvent", "cloudsso:GetUserProvisioningEvent", "cloudsso:RetryUserProvisioningEvent", "cloudsso:GetTask", "cloudsso:GetTaskStatus" ], "Resource": "*", "Condition": { "StringLike": { "acs:RDManageScope": [ "rd-3G****/r-Wm****/fd-Ca2****Q3Y/*" ] } } } ] }Example 2
Dept-1-Admincan manage (create, modify, or delete) other CloudSSO users and assign permissions to them for specified member accounts.Grants read access to member accounts, CloudSSO users, and permission sets; write access to manage CloudSSO users; and scoped access assignment by RDPath. Does not include permissions to manage user groups.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "resourcemanager:GetResourceDirectory", "resourcemanager:ListParents", "resourcemanager:ListChildrenForParent", "resourcemanager:ListAncestors", "resourcemanager:ListAccountRecordsForParent", "resourcemanager:GetFolder", "resourcemanager:GetAccount", "resourcemanager:ListAuthorizedFolders", "resourcemanager:ListAccounts", "resourcemanager:ListAccountsForParent", "resourcemanager:ListFoldersForParent" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ram:ListPolicies", "ram:GetPolicyVersion", "ram:ListPolicyVersions", "ram:GetPolicy" ], "Resource": "acs:ram:*:system:policy/*" }, { "Effect": "Allow", "Action": [ "cloudsso:Get*", "cloudsso:List*", "cloudsso:CheckRDFeaturePrerequisite", "cloudsso:CreateUser", "cloudsso:UpdateUser", "cloudsso:UpdateUserStatus", "cloudsso:DeleteUser", "cloudsso:ResetUserPassword", "cloudsso:DeleteMFADeviceForUser", "cloudsso:UpdateUserMFAAuthenticationSettings" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudsso:CreateAccessAssignment", "cloudsso:DeleteAccessAssignments", "cloudsso:DeprovisionAccessConfiguration", "cloudsso:ProvisionAccessConfiguration", "cloudsso:CreateUserProvisioning", "cloudsso:DeleteUserProvisioning", "cloudsso:GetUserProvisioningRdAccountStatistics", "cloudsso:GetUserProvisioning", "cloudsso:UpdateUserProvisioning", "cloudsso:GetUserProvisioningStatistics", "cloudsso:PreCheckForCreateUserProvisioning", "cloudsso:DeleteUserProvisioningEvent", "cloudsso:GetUserProvisioningEvent", "cloudsso:RetryUserProvisioningEvent", "cloudsso:GetTask", "cloudsso:GetTaskStatus" ], "Resource": "*", "Condition": { "StringLike": { "acs:RDManageScope": [ "rd-3G****/r-Wm****/fd-Ca2****Q3Y/*" ] } } } ] }ImportantUse the
acs:RDManageScopecondition key to specify the RDPath of the folder or member account the delegated administrator can manage:-
rd-******/r-*****/fd-*****/*: all member accounts in the folder. -
rd-******/r-*****/fd-*****/123******: a specific member account.
Find RDPath values in View basic folder information and View the information of a member account. In the examples above,
rd-3G****/r-Wm****/fd-Ca2****Q3Yis the RDPath of theDept-1folder. Replace it with your target folder's RDPath. -
-
Assign permissions in the management account.
Assign permissions for a member account.
In the Assign permissions dialog box, go to Select users or groups, select the Users tab, and select
Dept-1-Admin.Under Select permission sets, select Dept-1-Access.
Verification
-
Log on to the CloudSSO user portal as
Dept-1-Admin.Log on to the CloudSSO user portal and access Alibaba Cloud resources.
In the CloudSSO user portal, click the Log on with RAM role tab. Verify that the management account is listed with the Dept-1-Access permission set active. Click Log on to access the account as a RAM role.
-
Try to assign permissions to a member account in the
Dept-1folder.Delegation is successful if you can assign permissions to member accounts in the
Dept-1folder but not to accounts in other folders.NoteThe delegated administrator can view the entire resource directory tree but can assign permissions only to member accounts within their authorized folder.
On the Multi-account permission management page, select DP1-user1 and click Assign permissions.