Multi-Account Management

Scenarios

As more and more enterprises migrate their services to the cloud, cloud resource, project, personnel, and permission management is becoming increasingly complex. A centralized approach to managing cloud resources across multiple accounts is essential for enterprise environments.

You can aggregate resources from multiple accounts into one account to centrally manage security, configure protection policies, monitor data operations, and detect security risks in real time.

This topic describes how to implement multi-account management.

Creating Multi-Account Management: You can create multi-account management when you want to centrally manage multiple service accounts as an organization administrator or delegated administrator.
Checking Multi-Account Management: You can check details about service accounts managed by an operations account. You can check the account name, account type, account status, and number of access logs.
Removing One or More Service Accounts from Multi-Account Management: You can also remove a service account from multi-account management.

Basic Concepts

Operation accounts: An operations account, or parent account, is an account that can manage member accounts. An operations account can manage multiple service accounts.
Service account: A service account is a member account, or child account, managed by an operations account. A service account (child account) can be managed by only one operations account.
Primary workspace: The first workspace created by SecMaster is the primary workspace by default. The workspace is pinned on top of the Workspaces > Management page. You can also change the primary workspace. On the Workspaces > Management page, click next to the target workspace. On the workspace details page displayed, toggle on Primary workspace.

Workflow of Multi-account Management

**Table 1** Multi-account management process
No.	Operation	Description
1	Authorization by Organization	Before multi-account management, you need to create an organization, invite accounts to join the organization, and grant them permissions by organization. Only the organization administrator or the delegated administrator can manage multiple accounts.
2	Creating Multi-Account Management	You need to use an operations account to create multi-account management. Then, use the operations account to manage multiple service accounts. Only the organization administrator or the delegated administrator can manage multiple accounts.
3	Integrating Cloud Service Logs	You need to integrate cloud service logs of service accounts managed by the operations account to the primary workspace of the operations account. By default, the primary workspace is the first workspace created by SecMaster. It is pinned on top of the Workspaces > Management page. You can also change the primary workspace. On the Workspaces > Management page, click next to the target workspace. On the workspace details page displayed, toggle on Primary workspace.
4	Perform Multi-account Management and Operations	You can manage and operate data across multiple accounts using the primary workspace of the operations account. The multi-account management function does not support aggregation of SecMaster baseline check results.

Limitations and Constraints

Only the professional edition supports multi-account management.
In the multi-account management scenario, data of service accounts can be integrated only into the primary workspace of the operations account.
A service account can be managed by only one operations account.
An operations account can manage a maximum of 10,000 service accounts.
When configuring multi-account management, only one operations account can enable New account auto-management.
Only the organization administrator or the delegated administrator can manage multiple accounts. An organization administrator is an account used to create an organization. An organization has only one organization administrator. For more information about delegated administrators, see Delegated Administrator.
The multi-account management function does not support aggregation of SecMaster baseline check results.

Prerequisites

An organization has been created, and an account has been invited to join the organization. For details, see Creating an Organization and Inviting an Account to Join Your Organization.
You have assigned permissions by organization. For details, see Authorization by Organization.

Creating Multi-Account Management

Log in to the console as an organization administrator or a delegated administrator.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
In the navigation pane on the left, choose Account Management.

Figure 1 Accounts management page
On the displayed page, click Accounts Management. The multi-account management configuration page is displayed on the right.
On the multi-account management page, select the service accounts (member accounts) you want to manage. You can enable New account auto-management on the bottom of the page if needed. If this function is enabled (), new member accounts in the organization will be automatically managed. After completing all settings, click OK in the lower right corner of the page.
Go back to the multi-account management page and check the list of managed service accounts.
Integrate cloud service logs into the primary workspace of the operations account. The operations account is the organization administrator or delegated administrator account you used to create multi-account management.

In the navigation pane on the left, choose Workspaces > Management. In the workspace list on the Management page, click on the right of the first workspace. On the workspace details page displayed, you will find the Primary Workspace button. If the button is toggled on (), the current workspace is the primary workspace. By default, the first workspace created by the service is the primary workspace. This workspace is pinned on top of the workspace list. You can change the primary workspace if needed.
Choose Workspaces > Management and click the primary workspace name.
In the navigation pane on the left, choose Log Audit > Cloud Service Access. On the displayed page, click One-Click Log Integration.

Figure 2 One-click log integration

On the One-Click Log Integration page, configure the account, region, and log type of the cloud service whose logs need to be integrated. After completing all settings, click OK in the lower right corner of the page.

**Table 2** Parameters for one-click log integration
Parameter	Description
Vendor	Vendor of the cloud service for the log integration.
Log Source Account	If an operation account manages multiple service accounts, you need to configure cloud service log integration in the primary workspace of the operation account. Select the service account for cloud service logs need to be integrated from the drop-down list. The configuration cannot be empty. All accounts: If you select this, cloud service logs of all accounts (including the operations account and service accounts) will be integrated. Specify account: By default, cloud service logs of the current account (operations account) are integrated. You can select the service accounts as needed from the drop-down list.
Region	The region where the data source (operations account and service account logs) is located.
Select Log Type	In the log list, select the types of cloud service logs to be integrated.
Synchronize Configuration	You can enable this to apply the configuration to the primary workspaces in other regions. If this function is enabled, all log type configurations in the current primary workspace will be synchronized to the primary workspaces in other regions.

Go back to the cloud service access page and check the cloud service log integration list. Click Settings in the Operation column of the cloud service product. On the Settings page, select the cloud service log types as required.

Figure 3 Log integration settings page
Click to enlarge

**Table 3** Parameters on the log integration settings page
Parameter	Description
Log Type	Log type.
Enable Log Integration	Whether to enable log integration. If this button is toggled on, logs are integrated into SecMaster.
Auto Integration for New Account	Whether logs of new accounts in the organization are automatically integrated.
Auto Alert Conversion	In the Auto Alert Conversion column, click to enable the function. After that, if cloud service logs meet certain alert rules, SecMaster will automatically convert them into alerts. Those alerts will be displayed on the Alerts page. Logs that can be automatically converted into alerts: SecMaster compliance baseline logs Host Security Service (HSS) alarms HSS vulnerability scan results HSS baseline DDoS attack logs Database Audit Service (DBAS) alarms Cloud Firewall (CFW) attack event logs
Lifecycle	Log retention duration after integration.
Integrated Accounts	Number of accounts with logs integrated.
Log Status	Log integration status. Succeeded: Logs of all accounts have been integrated. Failed: Logs of all accounts failed to be integrated. Integrating: Logs are being integrated. Integration pending: Logs have not integrated. Partially failed: Logs of some accounts failed to be integrated, but logs of some accounts have been integrated.
Last Active	Last log integration time.
Operation	Edit: You can edit the lifecycle of the log type, in days. Lifecycle indicates the retention duration of integrated logs. You can edit account for log integration. You can enable configuration synchronization to apply settings to primary workspaces in other regions.

Manage data integrated into the primary workspace of the operation account. You can manage resources and vulnerabilities. For example, you go to the Resource Manager page in the primary workspace of the operations account and check details of all integrated resources, including resources of the operations account and service accounts. You can identify the account to which a resource belongs by Account ID and Account Name in the resource list.

Checking Multi-Account Management

Log in to the console as an organization administrator or a delegated administrator.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
In the navigation pane on the left, choose Account Management.

Figure 4 Accounts management page

On the multi-account management page, check the list of service accounts managed by the operations account.

**Table 4** Parameters in the account list on the multi-account management page
Parameter	Description
Account Name	Name of the service account that has been managed.
Account Type	Account type of the service account. Currently, only the member accounts in an organization can be managed in the account management module.
Account Status	Account statuses: Managed: The service account has been managed by the operations account. Being managed: Multi-account management is being created. Management failed: The service account failed to be managed. Deleting: The service account is being removed from the management. Deletion failed: The service account failed to be removed from the account management module.
Integrated Regions	Number of regions of the cloud service logs integrated to the primary workspace of the operations account.
Integrated Log Types	Number of log types integrated from the service account to the primary workspace of the operations account. For example, 16/17 indicates that the service account has 17 types of logs, among which 16 types of logs have been integrated to the primary workspace of the operations account.
Log Types Integrated in the Last Hour	Number of log types integrated in the last hour from the service account to the primary workspace of the operations account.
Latest Log Integration	Last time when the logs of service accounts were integrated into the primary workspace of the operations account.
Managed	Time the account was managed by the operations account.
Operation	You can remove the service account. For details, see Removing One or More Service Accounts from Multi-Account Management.

Removing One or More Service Accounts from Multi-Account Management

Log in to the console as an organization administrator or a delegated administrator.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
In the navigation pane on the left, choose Account Management.

Figure 5 Accounts management page
On the account management page, locate the row of the target service account and click Remove in the Operation column.

To remove multiple service accounts, select them all and click Remove above the account list.
In the dialog box, click Auto Enter and enter UNLINK. Click OK. The service account then will be removed from multi-account management. After the removal, the integration of cloud service logs of managed service accounts is also removed from the primary workspace of the operations account.
Go back to the account management page and check whether the service account has been removed. If it is not listed, it has been removed. Removing an account from multi-account management cannot be undone. Exercise caution when performing this operation. If you want to manage the service account again, create a multi-account management again.