Updated on 2024-11-15 GMT+08:00

Overview of a Trusted Service

What Is a Trusted Service?

You can use the management account in Organizations to enable trusted access for a supported Huawei Cloud service, called a trusted service. A trusted service can perform tasks in your organization on your behalf. Each trusted service has access to the information about the OUs and member accounts in your organization and also can manage the entire organization. For example, if you enable CTS as a trusted service for Organizations, CTS can obtain information about OUs and member accounts to record the operations in all accounts within the organization. For cloud services that can be enabled with trusted access, see Trusted Services for Organizations.

Delegated Administrator

A delegated administrator account is a member account that has special permissions in an organization. The management account of your organization can designate a member account to be a delegated administrator account for a trusted service. All the users in the delegated administrator account will have organizational management capabilities. For example, if a member account becomes the delegated administrator of CTS, the account can view the CTS logs of all member accounts in the organization.

Service-linked Agency

Organizations uses IAM trust agencies to enable trusted services to perform tasks on your behalf in your organization's member accounts. When you enable a trusted service, the service can request that Organizations create a service-linked agency in its member accounts. The trusted service does this asynchronously, as needed. The service-linked agency has predefined IAM permissions that allow the trusted service to perform specific tasks within that account. This means that the capabilities of that cloud service are extended to the entire multi-account organization. For details about the supported trusted services and their functions, see Trusted Services for Organizations.

When you create an account in your organization or invite an existing account to join your organization, Organizations provisions the member account with a service-linked agency with the system-defined permission OrganizationsServiceLinkedAgencyPolicy, which is applicable to all resources. Only the Organizations service itself can assume this agency. This agency has permission that allows Organizations to create service-linked agencies for other cloud services.

Organizations SCPs do not affect service-linked agencies, and operations performed using service-linked agencies are not restricted by SCPs.