---
stage_id: 03-identity
stage_type: landing-zone-setup
user_step_name: Landing Zone 身份与权限配置
user_goal: 完成统一登录入口、管理员用户和基础权限配置
user_progress_text: 正在补齐统一登录和权限配置
user_completion_text: Landing Zone 身份与权限配置已完成
user_intro_why_now: 组织与财务基础就绪后，需要尽快把管理员入口和权限体系立起来，后续操作才有统一身份承载
user_intro_value: 帮用户建立统一登录入口和最小可用的管理权限框架
user_intro_outcome: 完成后会拿到管理员账号、登录入口和基础权限集，便于后续平台管理和协作
purpose: Provide a unified login entry and baseline administrative permissions for platform administrators
---

# Phase 3: Workforce Login and Permissions (03-identity)

**Target directory**: `./volcengine-landing-zone-workspace/blueprints/landing-zone-setup/03-identity/`

## Phase Goal

- Create the permission sets and administrator user required for unified login and baseline permission management
- Automatically assign `AdministratorAccess` to the management account and the target account list
- Produce the login entry, administrator username, and initial password file

## Minimum Input

- Run `ve cloudidentity GetServiceStatus --body '{}'` first. If the service is not enabled, run `EnableService`
- If it returns `AccessDenied`, tell the user to grant `cloudidentity:GetServiceStatus` and, when needed, `cloudidentity:EnableService`
- `management_account_id` should default from the current login identity or execution context
- `core_account_ids` should default to the core account IDs produced by `01-organization`
- Ask for `prefix` only when it is missing, because it is used for default administrator naming and resource naming
- Ask for `admin_username`, `admin_display_name`, and `session_duration` only when the defaults are not suitable
- `admin_email` is optional by default and should not become a blocking input for this phase
- Do not ask early in this phase for logging or networking variables

## Execution Conventions

- `terraform plan/apply` in this phase must explicitly use `-parallelism=1`
- Other permission sets are created only and are not auto-assigned. The only auto-assigned set is `AdministratorAccess`
- After Terraform creates the administrator user, the blueprint calls `ve cloudidentity ResetPassword` to generate the initial password and requires a password change on first login
- If the instance name needs to be updated, confirm the exact field names first through `ve cloudidentity UpdateInstanceName --help`, then run it in the background. Do not expose parameter troubleshooting to the user
- The login entry shown to the user must come from this phase's Terraform output `recommended_login_url`. The blueprint resolves it dynamically from the live Cloud Identity instance (`GetPortalLoginConfig` → `PortalURL`, falling back to `GetServiceStatus` instance name/id) and appends `/userportal`, producing `https://${Subdomain}.volccloudidentity.com/userportal`. Do not hand-craft, guess, or hard-code this URL, and do not present the generic console login page `https://console.volcengine.com/auth/login` as the entry. If `recommended_login_url` cannot be resolved (empty), tell the user the user portal entry is not yet available and have them check the Cloud Identity console, rather than substituting the generic console URL silently.

## Files and Output

- By default, login information is written to `./volcengine-landing-zone-workspace/outputs/identity-login-info.md`
- The file must contain at least the login entry, administrator username, initial password, the required first-login password-change reminder, and the current permission assignment explanation
- The initial password must be **read from the blueprint's `admin-password-reset.json` result file (the random password generated by `ResetPassword`, typically under `Result.NewPassword` or `Result.Password`) and written inline into this `identity-login-info.md` document**. This consolidated document is the single deliverable the user reads. Do not merely point the user to `admin-password-reset.json` and make them open a second file for the password; the password belongs in this document body.
- Producing the login information file triggers G4. Open or deliver it first, then prompt the user and wait.
- Do not echo the full initial password in the **chat conversation**. This restriction applies only to the chat reply; it does **not** prevent writing the password into the delivered `identity-login-info.md` file. The password must still be present in that file body.
- Before entering `04-log`, G6 applies. Do not do any `04-log` preparation or write action until the user explicitly confirms they want to continue