A management account or delegated administrator account in Resource Directory can modify the name and description of an account group, and add or remove member accounts. After an account group's configuration is updated, the management account or delegated administrator account must manually refresh the target account group tab on the Overview, Resources, Compliance Package, and Rules pages.
Prerequisites
A management account or delegated administrator account is used to log on to the Cloud Config console.
Background information
After you create a global account group, take note of the following information:
You can change only the name and description of the global account group.
After a member account is added to the resource directory, the member account is automatically added to the global account group.
After a member account is removed from the resource directory, the member account is automatically removed from the global account group.
The following table describes the impacts on the management account or delegated administrator account and member accounts if a member account is added to or removed from an account group.
Operation | Impact on the management account or delegated administrator account | Impact on member accounts |
Add a member account to the account group |
The management account or delegated administrator account can query the resources of the member account. The rules and compliance packages created in the account group by using the management account or delegated administrator account take effect on the member account. The delivery methods for resource data and notification methods for resource events configured by using the management account or delegated administrator account take effect on the member account.
|
If a service-linked role for Cloud Config is not created for the member account, the role is automatically created. The existing rules and compliance packages of the member account are retained. The delivery methods for resource data and notification methods for resource events configured for the member account are automatically cleared. The configuration permissions for the member account are removed. The member account can use only the configurations of the management account or delegated administrator account. -
On the Overview, Resources, Compliance Package, and Rules pages, the member account can view the Current Account tab and the tab for its account group. The member account can view its own resources, and the rules and compliance packages created by the management account or delegated administrator account within the account group. The member account cannot modify rules or compliance packages. When viewing the details of a rule or compliance package, the member account can see only its own resources.
The existing rules and compliance packages in the account group automatically take effect on the member account.
|
Remove a member account from a resource directory |
The management account or delegated administrator account cannot query the resources of the member account. The rules and compliance packages created in the account group by using the management account or delegated administrator account no longer take effect on the member account. The delivery methods for resource data and notification methods for resource events configured by using the management account or delegated administrator account no longer take effect on the member account.
|
-
On the Overview, Resources, Compliance Package, and Rules pages, the member account can no longer see the Current Account tab or the tab for its former account group.
The existing rules and compliance packages of the account group no longer take effect on the member account. Service-linked roles for Cloud Config of member accounts in the account group are retained. The rules and compliance packages created by using the member account are retained. The delivery methods of resource data and notification methods of resource events configured for the member account are automatically cleared. The member account regains the permissions to re-configure the delivery methods of resource data and notification methods of resource events. The member account uses Cloud Config as an independent Alibaba Cloud account and is no longer managed by using the management account or delegated administrator account.
|
Procedure
Log on to the Cloud Config console.
-
In the left-side navigation pane, click Account Group.
-
On the Account Group page, find the account group that you want to modify and click Modify in the Actions column.
-
On the Edit page, set the name and description for the account group, and then click Edit Member.
-
Select the target member accounts in Resource Directory and click OK.
-
To add member accounts: In the Resource Directories section, select the check boxes next to the member accounts that you want to add. The selected member accounts then appear in the Selected Accounts section.
Remove member accounts: In the Selected Accounts section, clear the member accounts that you want to remove.
-
Click Submit.
In the Account Group list, check the target account group to verify the updated name, description, and number of member accounts.