Updated on 2024-07-22 GMT+08:00

Procedure

In this tutorial, you will learn how to use Organizations to centrally manage accounts, as illustrated in the flowchart in Flowchart.

This section includes the following content:

Creating an Organization

  1. Log in to Huawei Cloud using the management account Company A.
  2. Click and choose Management & Governance > Organizations.
  3. Click Enable Organizations.

    Figure 1 Enabling Organizations

    After Organizations is enabled, your organization as well as a root OU is automatically created, and your login account Company A is designated as the management account.

Adding an OU

You can use OUs to group accounts by a specific dimension, for example, by service scope, account owner, or application environment, to administer as a single unit. This greatly simplifies account management.

In this example, the company uses Organizations to organize the OUs and accounts in a hierarchical, tree-like structure. At the top of the tree is the root OU. The R&D dept. and finance dept. are child OUs reaching down like branches. There are development OU and O&M OU nested under the R&D dept. At the ends of the branches are the accounts, the leaves of the tree: Company A is the management account, and Account y, Account z, and Account x are member accounts. The organizational structure is shown in Figure 2.

Figure 2 Organizational structure

To add an OU:

  1. Log in to Huawei Cloud using the management account Company A and navigate to the Organizations console.
  2. Access the Organization page, select the parent OU (root OU in this example), and choose Add > Add Organizational Unit.

    Figure 3 Adding an OU

  3. Enter the OU name (Research and Development Dept in this example) and click OK in the displayed dialog box. Use the same method to create the Finance Dept OU.

    Figure 4 Adding an OU

  4. Select the Research and Development Dept OU and add the Development Team OU and Operations and Maintenance Team OU in the same manner. The following figure shows the organizational structure.

    Figure 5 Organizational structure

Inviting an Account to Join Your Organization

After you create an organization and set up the organizational structure, you can invite other accounts to join your organization.

The accounts you invite to join your organization must have completed real-name authentication. For details, see Real-Name Authentication.

The original accounting relationship (master-member association) of invited accounts will remain unchanged. If you want to change the relationship, refer to the documentation of Enterprise Center.

  1. Log in to Huawei Cloud using the management account Company A and navigate to the Organizations console.
  2. On the Organization page, choose Add > Add Account.

    Figure 6 Adding an account

  3. In the displayed dialog box, select Invite existing and enter the name or ID of the account you want to invite. In this example, enter the ID of Development Team account Account y. For details about how to obtain an account name oraccount ID, see Obtaining Account ID and Name. Click OK to send an invitation to Account y.

    Figure 7 Inviting an account

  4. Log in as Account y, access the Organizations console and click Accept to accept the invitation.

    Figure 8 Accepting an invitation

  5. Log in as the management account Company A and navigate to the Organizations console. Then, access the Organization page and select the invited account.
  6. Choose Manage > Move Account.

    Figure 9 Moving an account

  7. Select the OU (Development Team in this example) you want to hold the invited account. Click OK.
  8. Use the same method to invite Account x of the finance department and Account z of the O&M team to join the organization.

Attaching an SCP to an OU

You can attach SCPs to OUs to centrally manage permissions for all accounts in your organization. For example, you can attach an SCP to the R&D Dept. OU to allow only the accounts in this OU to modify and delete resource compliance rules. For services available for using SCPs, see Cloud Services for Using SCPs.

  1. Use a system-defined policy or create a custom policy.

    Choose from SCP system-defined policies or create a custom policy (in this example) by referring to SCP Syntax.

    The policy content is as follows:

    {
      "Version": "5.0",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": [
            "rms:policyAssignments:update",
            "rms:policyAssignments:delete"
          ],
          "Resource": [
            "*"
          ]
        }
      ]
    }

  2. Log in to Huawei Cloud using the management account Company A and navigate to the Organizations console.
  3. Select the Finance Dept. OU in the organizational structure. In this example, the finance department will be prohibited from modifying or deleting compliance rules.
  4. Click Policies on the Organizational Unit Details page.
  5. Click in front of Service Control Policies and click Attach.

    Figure 10 Attaching an SCP

  6. Select the policy created in 1 and click Attach in the displayed dialog box. This policy is displayed in the list of policies attached to the finance department.

Testing SCP Effects

To test the effects of an SCP, perform the following steps:

  1. Log in to Huawei Cloud using the finance department account Account x and access the Config console.
  2. Attempt to modify or delete compliance rules. If an error message is displayed, the SCP has been applied.