Guide
Start typing to search…
  1. Identity and Access
  2. Identity and Access for Akamai Cloud (Limited Availability)
  3. Delegation for parent and child accounts

Migrated partners

🚧

If you used the previous version of the Parent and Child accounts feature, you’ll be migrated to the new experience with all your access configurations unchanged. Moving forward, you’ll need to adapt to the changes described in Parent and child account feature for Partners.

Action required: To learn about the changes resulting from the migration and recommended actions, see Migration.

General changes

The introduction of Identity and Access for the parent and child accounts feature causes the following changes to the original experience:

  • Instead of making a user unrestricted or providing them with the Enable child account access general permission on UI or the ​​child_account_access grant in API to enable them to switch to child accounts, the parent account administrator adds the user to an account delegation for a specific child account. To learn more about account delegations, see Terminology.
  • Instead of the parent user on UI and proxy user in API that acted as a single representative user for all parent users on the child account, there are now delegate users. Each parent user delegated to a child account is an individual user. To learn more about delegate users, see Terminology.
  • To switch between child accounts, you'll need to go back to your parent account, and select the child account you want to switch to.
  • A child account administrator specifies the delegate users' access to a child account for each individual delegate user. There’s no minimum and required access to a child account for delegate users defined by ​Akamai​, including billing. Child account administrators can configure roles to be assigned to new delegate users by default.
  • Delegate users with the account_admin role on a child account can remove native users of that account.

Changes in Linode API

In the API experience you need to be aware of the following changes:

  1. The original parent and child operations are now deprecated and provided a replacement.
FunctionalityDeprecatedReplacement
List child accounts linked to a parent account…/account/child-accounts.../​iam/​delegation/​child-accounts
Get a specific child account…/account/child-accounts/{euuId}…/iam/delegation/profile/child-accounts/{euuid}
Create a token to manage a child account…/account/child-accounts/{euuId}/token…/iam/delegation/profile/child-accounts/{euuid}/token

  1. For a parent account there are new operations available:
    1. Get the account delegation for a child account
    2. Update the account delegation for a child account
    3. Get user's account delegations
  2. This is the list of restrictions in other Linode API in terms of the parent/child relationship:
OperationChanges
Update a userOn a child account, a delegate user's username and email address can't be changed.
Delete a userOn a child account:
  1. Delegate users with the account_admin role can remove native users of the child account.
  2. A delegate user can’t be removed from the account. To remove a user from a child account, they need to be removed from a delegation on the parent account.
Update a profileOn a child account, a delegate user can’t change their email address.
Create a personal access tokenOn a child account, delegate users can’t create personal access tokens. They need to create a delegate user token.
Update a personal access tokenOn a child account, delegate users can’t use personal access token. They need to create a delegate user token.
Update a user's grantsThe ​​child_account_access grant is decommissioned. The API call won’t fail, but the grant will be ignored.
Update your accountAccounts in the parent and child relationship can’t update their company name.

Migration

When migration is performed:

  • An account delegation is added for each child account.
  • All users who were unrestricted or had the Enable child account access general permission enabled on UI or the child_account_access grant in API, are added to all account delegations on your account.
  • On child accounts, the configured delegate users have the following access:
    • The access that was configured originally for the parent user on UI and proxy user in API.
    • Additionally, they have the following RBAC roles assigned:
      • account_oauth_client_admin
      • account_event_viewer
      • account_notification_viewer
      • account_maintenance_viewer
      • account_vpc_viewer
      • account_viewer

What to do next

As a result of these changes, we recommend the account administrators to:

  • Go through all account delegations and review whether the users added there should continue to have access to each of those accounts. If not, remove them in Cloud Manager or by running the Update the account delegation for a child account API operation.
  • If you need to update the access on a specific child account, for a specific delegate user, contact the child account administrator of that child account.

Updated about 1 hour ago