🚧

If you used the previous version of the Parent and Child accounts feature, you’ll be migrated to the new experience with all your access configurations unchanged. Moving forward, you’ll need to adapt to the changes described in Parent and child account feature for end customers.

Action required: To learn about the changes resulting from the migration and recommended action, see Migration.

General changes

The introduction of Identity and Access for the parent and child accounts feature causes the following changes to the original experience:

• The User & Grants page with the Parent User Settings table is replaced with the delegation for parent and child accounts feature in Identity and Access.
• Instead of the parent user on UI and proxy user in API that acted as a single representative user for all parent users on the child account, there are now delegate users. Each parent user delegated to your account is an individual user. To learn more about delegate users, see Terminology.
  • On UI, In the Identity & Access > Users tab, instead of a single parent user, you’ll see new usernames with the format delegate-{username on parent account}-{16 char unique hash} and with the Delegate User user type. Those are the users delegated by the parent account to have access to your account.
  • In API, when you run the List users operation, instead of a single proxy user, you'll get new usernames with the delegate user type.
• The actions of delegate users are logged individually.
• Delegate users with the account_admin role on your account can remove native users of your account.
• Instead of configuring access to a single parent user, a child account administrator needs to configure access to every delegate user individually. Access of parent users who already had access to your account is migrated. To learn more, see Migration. For new delegate users coming to your account, you can configure a set of roles to be assigned to them by default. To learn more, see View and manage default role assignment for delegate users.

Changes in Linode API

In the API experience you need to be aware of the following changes:

1. New operations are available:
   1. Get the default role assignment for delegate users
   2. Update the default role assignment for delegate users
2. This is the list of restrictions in other Linode API in terms of parent and child relationship for the child account:

Migration

When migration is performed:

• A single parent user (parent user on UI and proxy user in API) separates into individual delegate users.
• Parent users who were granted access to your account on the parent account before the migration have now the following access:
  • The access that was configured originally for the parent user will assigned to each delegate user.
  • Additionally, each delegated user has the following RBAC roles assigned:
    • account_oauth_client_admin
    • account_event_viewer
    • account_notification_viewer
    • account_maintenance_viewer
    • account_vpc_viewer
    • account_viewer

What to do next

As a result of these changes, we recommend the account administrator to:

• Review the access of each delegate user. If needed, update it. You may need to contact your ​Akamai​ partner representative to go through the list of delegated users and their access or provide them the administrative access to your account to enable them to do this task for you.
• Configure the default role assignment to be provided to new delegate users coming to your account.