Overview
CloudSSO lets you control which users and groups can access accounts in your resource directory based on the structure of your resource directory. You can assign access permissions or configurations to users or groups at the account level, including the enterprise management account and members in your resource directory.
Assignment methods
A CloudSSO administrator can assign access permissions using either of the following methods:
-
Assign access permissions on a single account in your resource directory
On the Multi-account Permission Configuration page of the CloudSSO console, click an account name to open the account details page. On the Access Assignments tab, click Configure Access Assignments. In the panel that appears, select the CloudSSO identities and access configurations for the account, then complete the assignment. CloudSSO identities include users and groups.
Existing access permissions are also visible here — modify or remove them as needed.
-
Assign access permissions on multiple accounts in your resource directory at a time
To assign identities and access configurations to multiple accounts at once, go to the Multi-account Permission Configuration page and complete the following steps:
In the Resource Directory navigation tree, select the accounts to configure.
Select one or more CloudSSO identities.
Select one or more access configurations.
Click Start Configuration. CloudSSO automatically completes the assignment.
If a permission has already been assigned to a selected identity, reassigning it fails silently — only new permissions are applied.
How access assignment works
Each time you add or remove access permissions, CloudSSO creates an asynchronous task for every triplet — a combination of a CloudSSO identity, an account in your resource directory, and an access configuration. For each triplet, CloudSSO performs the following operations:
When adding permissions: if the access configuration has not yet been provisioned for the target account, CloudSSO provisions it first. For more information, see Assign access permissions on the accounts in a resource directory.
When removing permissions: if the last identity using an access configuration is removed, you can optionally de-provision that access configuration from the account.
After provisioning or de-provisioning completes, CloudSSO updates the account's access permissions for the affected users or groups.
View assignment results in the Configure Access Assignments panel, or check the status of each task on the Historical Tasks page.
How end users access resources
After a CloudSSO administrator assigns access permissions and a CloudSSO user logs on to the CloudSSO user portal, the user can view the accounts that the user can access in the resource directory. The user can also view the access configurations for each account. Then, the user can access the resources of each account based on the permissions in the access configurations. For more information, see Log on to the CloudSSO user portal and access Alibaba Cloud resources.