Terms

Term

Description

management account

An Alibaba Cloud account that has passed enterprise verification and enabled a resource directory. The management account is the super administrator with full permissions over the resource directory, all folders, and all members. Each resource directory has exactly one management account.

Security best practices:

• Use a resource-free Alibaba Cloud account as the management account.

• Create a RAM user with the AliyunResourceDirectoryFullAccess policy and use it to manage the resource directory.

Root folder

The top-level folder in a resource directory. All other folders are organized in a hierarchy beneath it.

folder

An organizational unit that can represent a branch, line of business, or project. Folders can contain members and subfolders, forming a tree structure.

member

An account within a resource directory. Members are either resource accounts (created in the directory to isolate project or application resources) or cloud accounts (existing Alibaba Cloud accounts invited to join).

• Resource account

  Created within a resource directory. Root users are disabled for resource accounts, providing higher security. For more information about how to create a resource account, see Create a member.

• Cloud account

  An existing Alibaba Cloud account invited to join a resource directory. Cloud accounts retain their root users. For more information about how to invite an Alibaba Cloud account to join a resource directory, see Invite an account to a resource directory.

RDPath

The path that identifies the location of a folder or member within a resource directory. An RDPath consists of the resource directory ID, all parent folder IDs, and the entity ID. Formats:

• RDPath of a folder: <ID of the resource directory to which the folder belongs>/<ID of the Root folder in the resource directory>/.../<ID of the folder>.

• RDPath of a member: <ID of the resource directory to which the member belongs>/<ID of the Root folder in the resource directory>/.../<ID of the member>. For example, the RDPath of the member 181761095690**** is rd-r4****/r-oG****/fd-RIErN0****/fd-XVxh6D****/181761095690****.

To view an RDPath, see View the basic information of a folder or View the detailed information of a member.

access control policy

Defines permission boundaries for folders or members in a resource directory. Access control policies do not grant permissions — they only restrict what permissions RAM can grant. You must still use RAM to grant the required permissions to member accounts.

For more information about access control policies, see Overview.

trusted service

An Alibaba Cloud service integrated with Resource Directory that can access the directory's structure and member information. Use the management account or a delegated administrator account to manage the trusted service across your organization. For example, Cloud Config integration lets you view resources of all members, their configuration history, and compliance statuses across the directory.

For more information about trusted services, see Overview of trusted services.

delegated administrator account

A member designated by the management account to manage a specific trusted service on behalf of the organization. The delegated administrator can access resource directory information (structure and members) within the trusted service and manage related business. This separates organization management (handled by the management account) from service-specific management, improving security.

For information about how to add or remove a delegated administrator account, see Manage delegated administrator accounts.

Term

Description

resource group

Resource groups let you organize Alibaba Cloud resources by project or application, simplifying permission management across your account.

Term

Description

resource share

A resource share is an instance of the Resource Sharing service. It is also a resource and has a unique ID and an Alibaba Cloud Resource Name (ARN). A resource share consists of a resource owner, principals, and shared resources.

resource owner

A resource owner initiates resource sharing and owns shared resources.

principal

A principal is invited to use the resources of resource owners and has specific operation permissions on the shared resources.

shared resource

A shared resource is a resource of an Alibaba Cloud service. For more information about the types of resources that can be shared, see Supported services for Resource Sharing.

resource sharing

Resource sharing allows you to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For more information, see Enable resource sharing within a resource directory.

Term

Description

key-value pair

A tag is a key-value pair.

predefined tag

A predefined tag is created in advance and available across all regions. Predefined tags persist even when not attached to resources. Create them during tag planning and attach them during implementation. For more information, see Create a tag.

system tag

System tags are read-only tags that represent standard data relationships. For example, when a cluster is associated with an Elastic Compute Service (ECS) instance, the system adds the cluster ID as a system tag to help determine the instance's attribution. For more information, see View system tags and resources.

createdby tag

A createdby tag is a system tag automatically added to resources to identify resource creators, analyze costs and bills, and manage resource costs efficiently. For more information, see Createdby tags.

tag policy

Tag policies define required tags for resources to standardize tagging. Compliant tags improve cost allocation, access control, and automated O&M efficiency. Two modes are supported: single-account and resource directory. For more information, see Overview of tag policies.