Help Center> Organizations> Getting Started> Procedure
Updated on 2024-03-15 GMT+08:00
View PDF

Procedure

In this tutorial, you will learn how to use Organizations to centrally manage accounts.

Creating an Organization

  1. Log in to Huawei Cloud using the management account Company A.
  2. Click and choose Management & Governance > Organizations.
  3. Click Enable Organizations.

    Figure 1 Enabling Organizations
    When Organizations is enabled, your organization as well as a root OU is automatically created, and your login account Company A is designated as the management account.
    Figure 2 Creating an organization

Adding an OU

You can use OUs to group accounts by different characteristics (such as the service scope, account owner, or application environment) to administer as a single unit. This greatly simplifies account management.

In this example, the company uses Organizations to organize the OUs and accounts in a hierarchical, tree-like structure. At the top of the tree is the root OU. The R&D dept. and finance dept. are child OUs reaching down like branches. There are development OU and O&M OU nested under the R&D dept. At the ends of the branches are the accounts, the leaves of the tree: Company A is the management account, and Account y, Account z, and Account x are member accounts. The organizational structure is shown in Figure 3.

Figure 3 Organizational structure

To add an OU:

  1. Log in to Huawei Cloud using the management account Company A and navigate to the Organizations console.
  2. Access the Organization page, select the root OU, and choose Add > Add Organizational Unit.

    Figure 4 Adding an OU

  3. Enter the OU name (R&D Dept. in this example) and click OK in the displayed dialog box. Use the same method to create the Finance Dept. OU.

    Figure 5 Specifying OU information

  4. Select the R&D Dept. OU and add the Development Team OU and O&M Team OU in the same manner. The following figure shows the organizational structure.

    Figure 6 Organizational structure

Inviting an Account to Join Your Organization

After you create an organization and set up the organizational structure, you can invite other accounts to join your organization.

The accounts you invite to join your organization must have completed real-name authentication. For details, see Real-Name Authentication.

The original accounting relationship (master-member association) of invited accounts will remain unchanged. If you want to change the relationship, refer to the documentation of Enterprise Center.

  1. Log in to Huawei Cloud using the management account Company A and navigate to the Organizations console.
  2. On the Organization page, choose Add > Add Account.

    Figure 7 Adding an account

  3. Enter the ID of Development Team account Account y in the displayed dialog box. For details about how to obtain an account ID, see Obtaining Account ID. Click OK to send an invitation to Account y.

    Figure 8 Inviting an account

  4. Log in to Account y, access the Organizations console and click Accept to accept the invitation.

    Figure 9 Accepting an invitation

  5. Log in as the management account Company A and navigate to the Organizations console. Then, access the Organization page and select the invited account.
  6. Choose Manage > Move Account.

    Figure 10 Moving an account

  7. Select the OU (Development Team in this example) you want to hold the invited account. Click OK.
  8. Use the same method to invite Account x of the finance department and Account z of the O&M team to join the organization.

Attaching an SCP to an OU

You can attach SCPs to OUs to centrally manage permissions for all accounts in your organization. For services available for using SCPs, see Cloud Services for Using SCPs.

  1. Use a system-defined policy or create a custom policy.

    Choose from SCP system-defined policies or create a custom policy (in this example) by referring to policy syntax.

    In this example, use the following syntax to create a custom policy that denies finance department permission to modify or delete assignments through RMS:

    {
  "Version": "5.0",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "rms:policyAssignments:update",
        "rms:policyAssignments:delete"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

  2. Log in to Huawei Cloud using the management account Company A and navigate to the Organizations console.
  3. Select the Finance Dept. OU in the organizational structure. In this example, the finance department will be prohibited from modifying or deleting compliance rules.
  4. Click Policies on the Organizational Unit Details page.
  5. Click in front of Service Control Policies and click Attach.

    Figure 11 Attaching a policy

  6. Select the policy created in 1 and click Attach in the displayed dialog box. Then this policy will be displayed in the list of policies attached to the finance department.

Testing SCP Effects

To test the effects of an SCP, perform the following steps:

  1. Log in to Huawei Cloud using the finance department account Account x and access the Config console.
  2. Attempt to modify or delete compliance rules. If an error message is displayed, the SCP has been applied.