Help Center/ SecMaster/ User Guide/ Multi-Account Management
Updated on 2025-08-11 GMT+08:00

Multi-Account Management

Scenarios

As more and more enterprises migrate their services to the cloud, cloud resource, project, personnel, and permission management is becoming increasingly complex. A centralized approach to managing cloud resources across multiple accounts is essential for enterprise environments.

You can aggregate resources from multiple accounts into one account to centrally manage security, configure protection policies, monitor data operations, and detect security risks in real time.

This topic describes how to implement multi-account management.

Basic Concepts

  • Operation accounts: An operations account, or parent account, is an account that can manage member accounts. An operations account can manage multiple service accounts.
  • Service account: A service account is a member account, or child account, managed by an operations account. A service account (child account) can be managed by only one operations account.
  • Primary workspace: The first workspace created by SecMaster is the primary workspace by default. The workspace is pinned on top of the Workspaces > Management page. You can also change the primary workspace. On the Workspaces > Management page, click next to the target workspace. On the workspace details page displayed, toggle on Primary workspace.

Workflow of Multi-account Management

Table 1 Multi-account management process

No.

Operation

Description

1

Authorization by Organization

Before multi-account management, you need to create an organization, invite accounts to join the organization, and grant them permissions by organization. Only the organization administrator or the delegated administrator can manage multiple accounts.

2

Creating Multi-Account Management

You need to use an operations account to create multi-account management. Then, use the operations account to manage multiple service accounts.

Only the organization administrator or the delegated administrator can manage multiple accounts.

3

Integrating Cloud Service Logs

You need to integrate cloud service logs of service accounts managed by the operations account to the primary workspace of the operations account.

By default, the primary workspace is the first workspace created by SecMaster. It is pinned on top of the Workspaces > Management page. You can also change the primary workspace. On the Workspaces > Management page, click next to the target workspace. On the workspace details page displayed, toggle on Primary workspace.

4

Perform Multi-account Management and Operations

You can manage and operate data across multiple accounts using the primary workspace of the operations account.

The multi-account management function does not support aggregation of SecMaster baseline check results.

Limitations and Constraints

  • Only the professional edition supports multi-account management.
  • In the multi-account management scenario, data of service accounts can be integrated only into the primary workspace of the operations account.
  • A service account can be managed by only one operations account.
  • An operations account can manage a maximum of 10,000 service accounts.
  • When configuring multi-account management, only one operations account can enable New account auto-management.
  • Only the organization administrator or the delegated administrator can manage multiple accounts. An organization administrator is an account used to create an organization. An organization has only one organization administrator. For more information about delegated administrators, see Delegated Administrator.
  • The multi-account management function does not support aggregation of SecMaster baseline check results.

Prerequisites

Creating Multi-Account Management

  1. Log in to the console as an organization administrator or a delegated administrator.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Account Management.

    Figure 1 Accounts management page

  5. On the displayed page, click Accounts Management. The multi-account management configuration page is displayed on the right.
  6. On the multi-account management page, select the service accounts (member accounts) you want to manage. You can enable New account auto-management on the bottom of the page if needed. If this function is enabled (), new member accounts in the organization will be automatically managed. After completing all settings, click OK in the lower right corner of the page.
  7. Go back to the multi-account management page and check the list of managed service accounts.
  8. Integrate cloud service logs into the primary workspace of the operations account. The operations account is the organization administrator or delegated administrator account you used to create multi-account management.

    In the navigation pane on the left, choose Workspaces > Management. In the workspace list on the Management page, click on the right of the first workspace. On the workspace details page displayed, you will find the Primary Workspace button. If the button is toggled on (), the current workspace is the primary workspace. By default, the first workspace created by the service is the primary workspace. This workspace is pinned on top of the workspace list. You can change the primary workspace if needed.

  9. Choose Workspaces > Management and click the primary workspace name.
  10. In the navigation pane on the left, choose Log Audit > Cloud Service Access. On the displayed page, click One-Click Log Integration.

    Figure 2 One-click log integration

  11. On the One-Click Log Integration page, configure the account, region, and log type of the cloud service whose logs need to be integrated. After completing all settings, click OK in the lower right corner of the page.

    Table 2 Parameters for one-click log integration

    Parameter

    Description

    Vendor

    Vendor of the cloud service for the log integration.

    Log Source Account

    If an operation account manages multiple service accounts, you need to configure cloud service log integration in the primary workspace of the operation account. Select the service account for cloud service logs need to be integrated from the drop-down list. The configuration cannot be empty.

    • All accounts: If you select this, cloud service logs of all accounts (including the operations account and service accounts) will be integrated.
    • Specify account: By default, cloud service logs of the current account (operations account) are integrated. You can select the service accounts as needed from the drop-down list.

    Region

    The region where the data source (operations account and service account logs) is located.

    Select Log Type

    In the log list, select the types of cloud service logs to be integrated.

    Synchronize Configuration

    You can enable this to apply the configuration to the primary workspaces in other regions.

    If this function is enabled, all log type configurations in the current primary workspace will be synchronized to the primary workspaces in other regions.

  12. Go back to the cloud service access page and check the cloud service log integration list. Click Settings in the Operation column of the cloud service product. On the Settings page, select the cloud service log types as required.

    Figure 3 Log integration settings page
    Table 3 Parameters on the log integration settings page

    Parameter

    Description

    Log Type

    Log type.

    Enable Log Integration

    Whether to enable log integration. If this button is toggled on, logs are integrated into SecMaster.

    Auto Integration for New Account

    Whether logs of new accounts in the organization are automatically integrated.

    Auto Alert Conversion

    In the Auto Alert Conversion column, click to enable the function. After that, if cloud service logs meet certain alert rules, SecMaster will automatically convert them into alerts. Those alerts will be displayed on the Alerts page.

    Logs that can be automatically converted into alerts:

    • SecMaster compliance baseline logs
    • Host Security Service (HSS) alarms
    • HSS vulnerability scan results
    • HSS baseline
    • DDoS attack logs
    • Database Audit Service (DBAS) alarms
    • Cloud Firewall (CFW) attack event logs

    Lifecycle

    Log retention duration after integration.

    Integrated Accounts

    Number of accounts with logs integrated.

    Log Status

    Log integration status.

    • Succeeded: Logs of all accounts have been integrated.
    • Failed: Logs of all accounts failed to be integrated.
    • Integrating: Logs are being integrated.
    • Integration pending: Logs have not integrated.
    • Partially failed: Logs of some accounts failed to be integrated, but logs of some accounts have been integrated.

    Last Active

    Last log integration time.

    Operation

    Edit:

    • You can edit the lifecycle of the log type, in days. Lifecycle indicates the retention duration of integrated logs.
    • You can edit account for log integration.
    • You can enable configuration synchronization to apply settings to primary workspaces in other regions.

  13. Manage data integrated into the primary workspace of the operation account. You can manage resources and vulnerabilities. For example, you go to the Resource Manager page in the primary workspace of the operations account and check details of all integrated resources, including resources of the operations account and service accounts. You can identify the account to which a resource belongs by Account ID and Account Name in the resource list.

Checking Multi-Account Management

  1. Log in to the console as an organization administrator or a delegated administrator.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Account Management.

    Figure 4 Accounts management page

  5. On the multi-account management page, check the list of service accounts managed by the operations account.

    Table 4 Parameters in the account list on the multi-account management page

    Parameter

    Description

    Account Name

    Name of the service account that has been managed.

    Account Type

    Account type of the service account. Currently, only the member accounts in an organization can be managed in the account management module.

    Account Status

    Account statuses:

    • Managed: The service account has been managed by the operations account.
    • Being managed: Multi-account management is being created.
    • Management failed: The service account failed to be managed.
    • Deleting: The service account is being removed from the management.
    • Deletion failed: The service account failed to be removed from the account management module.

    Integrated Regions

    Number of regions of the cloud service logs integrated to the primary workspace of the operations account.

    Integrated Log Types

    Number of log types integrated from the service account to the primary workspace of the operations account. For example, 16/17 indicates that the service account has 17 types of logs, among which 16 types of logs have been integrated to the primary workspace of the operations account.

    Log Types Integrated in the Last Hour

    Number of log types integrated in the last hour from the service account to the primary workspace of the operations account.

    Latest Log Integration

    Last time when the logs of service accounts were integrated into the primary workspace of the operations account.

    Managed

    Time the account was managed by the operations account.

    Operation

    You can remove the service account. For details, see Removing One or More Service Accounts from Multi-Account Management.

Removing One or More Service Accounts from Multi-Account Management

  1. Log in to the console as an organization administrator or a delegated administrator.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Account Management.

    Figure 5 Accounts management page

  5. On the account management page, locate the row of the target service account and click Remove in the Operation column.

    To remove multiple service accounts, select them all and click Remove above the account list.

  6. In the dialog box, click Auto Enter and enter UNLINK. Click OK. The service account then will be removed from multi-account management. After the removal, the integration of cloud service logs of managed service accounts is also removed from the primary workspace of the operations account.
  7. Go back to the account management page and check whether the service account has been removed. If it is not listed, it has been removed. Removing an account from multi-account management cannot be undone. Exercise caution when performing this operation. If you want to manage the service account again, create a multi-account management again.