- What's New
- Service Overview
- Getting Started
-
User Guide
- Permissions Management
- Managing Organizations
- Managing OUs
- Managing Accounts
-
Managing SCPs
- Overview of an SCP
- Enabling or Disabling the SCP Type
- Creating an SCP
- Modifying or Deleting an SCP
- Attaching or Detaching an SCP
- Example SCPs
- System-defined SCPs
- Cloud Services for Using SCPs
- Regions for Using SCPs
-
Actions Supported by SCP-based Authorization
- Compute
- Storage
- Networking
- Containers
- Analytics
- Content Delivery & Edge Computing
- Databases
- Security & Compliance
- Internet of Things
- Middleware
- Developer Services
- Business Applications
-
Management & Governance
- Simple Message Notification (SMN)
- Log Tank Service (LTS)
- Identity and Access Management (IAM)
- Security Token Service (STS)
- Resource Formation Service (RFS)
- IAM Identity Center
- Organizations
- Resource Access Manager (RAM)
- Enterprise Project Management Service (EPS)
- Tag Management Service (TMS)
- Config
- IAM Access Analyzer
- Cloud Trace Service (CTS)
- Resource Governance Center (RGC)
- Application Operations Management (AOM)
- Cloud Eye (CES)
- IAM Identity Broker
- User Support
- Migration
- Managing Tag Policies
- Managing Trusted Services
- Managing Tags
- CTS Auditing
- Adjusting Quotas
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
APIs
- Managing Organizations
- Managing OUs
-
Managing Accounts
- Creating an Account
- Listing Accounts in an Organization
- Closing an Account
- Getting Account Information
- Updating an Account
- Removing the Specified Account
- Moving an Account
- Inviting an Account to Join an Organization
- Querying Account Creation Requests in Specified State
- Querying Account Creation Status
- Querying CloseAccount Requests in Specified State
- Managing Invitations
- Managing Trusted Services
- Managing Delegated Administrators
- Managing Policies
-
Managing Tags
- Listing Tags for the Specified Resource
- Adding Tags to the Specified Resource
- Removing Tags from the Specified Resource
- Listing Tags for the Specified Resource Type
- Adding Tags to the Specified Resource Type
- Deleting Tags with the Specified Key from the Specified Resource Type
- Querying Resource Instances by Resource Type and Tag
- Querying Number of Resource Instances by Resource Type and Tag
- Querying Resource Tags
- Others
- Permissions and Supported Actions
- Appendixes
- Change History
- FAQs
- General Reference
Copied.
Overview of a Trusted Service
What Is a Trusted Service?
You can use the management account in Organizations to enable trusted access for a supported Huawei Cloud service, called a trusted service. A trusted service can perform tasks in your organization on your behalf. Each trusted service has access to the information about the OUs and member accounts in your organization and also can manage the entire organization. For example, if you enable CTS as a trusted service for Organizations, CTS can obtain information about OUs and member accounts to record the operations in all accounts within the organization. For cloud services that can be enabled with trusted access, see Trusted Services for Organizations.
Delegated Administrator
A delegated administrator account is a member account that has special permissions in an organization. The management account of your organization can designate a member account to be a delegated administrator account for a trusted service. All the users in the delegated administrator account will have organizational management capabilities. For example, if a member account becomes the delegated administrator of CTS, the account can view the CTS logs of all member accounts in the organization.
Service-linked Agency
Organizations uses IAM trust agencies to enable trusted services to perform tasks on your behalf in your organization's member accounts. When you enable a trusted service, the service can request that Organizations create a service-linked agency in its member accounts. The trusted service does this asynchronously, as needed. The service-linked agency has predefined IAM permissions that allow the trusted service to perform specific tasks within that account. This means that the capabilities of that cloud service are extended to the entire multi-account organization. For details about the supported trusted services and their functions, see Trusted Services for Organizations.
When you create an account in your organization or invite an existing account to join your organization, Organizations provisions the member account with a service-linked agency with the system-defined permission OrganizationsServiceLinkedAgencyPolicy, which is applicable to all resources. Only the Organizations service itself can assume this agency. This agency has permission that allows Organizations to create service-linked agencies for other cloud services.
Organizations SCPs do not affect service-linked agencies, and operations performed using service-linked agencies are not restricted by SCPs.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot