Identity as a Service (IDaaS) provides APIs to manage accounts and organizational units in your applications. Use these APIs to:
Create, update, and delete user accounts
Enable or disable accounts
Query account details and password policies
Create and manage organizational units
Retrieve the synchronization scope to identify which accounts and organizational units are manageable
All API calls except token generation require an access token. The synchronization scope determines which accounts and organizational units your application can act on.
Authentication
Get an access token
Get the client_id and client_secret from the General tab of your application's details page, then call GenerateToken. See General configurations for instructions on finding these credentials.
IDaaS Developer API authentication uses application secrets in IDaaS — not Resource Access Management (RAM). Grant API permissions on the IDaaS API tab of your application, not through RAM policies.
Configure permissions
Each API category requires a specific permission value, set on the IDaaS API tab. Grant only the permissions your application needs:
| Permission value | Operations granted |
|---|---|
urn:alibaba:idaas:scope:user:manager_all | Create, update, delete, enable, and disable accounts (CreateUser, PatchUser, DeleteUser, EnableUser, DisableUser) |
urn:alibaba:idaas:scope:user:read_all | Query account details, list accounts, and retrieve password policies (GetUser, ListUsers, GetUserPasswordPolicy) |
urn:alibaba:idaas:scope:organizational_unit:manager_all | Create, update, and delete organizational units (CreateOrganizationalUnit, PatchOrganizationalUnit, DeleteOrganizationalUnit) |
urn:alibaba:idaas:scope:organizational_unit:read_all | Query organizational unit details and list organizational units (GetOrganizationalUnit, ListOrganizationalUnits, ListOrganizationalUnitParentIds) |
Token generation and synchronization scope queries do not require a permission value.
SDK and tools
IDaaS supports SDKs for Java, Python, Go, PHP, C#, C++, and TypeScript through Alibaba Cloud OpenAPI Explorer.
On OpenAPI Explorer:
Browse the full API reference
Debug API operations online
Download SDK packages for your programming language
Get sample code for SDK-based API calls
To download a complete project with SDK installation and sample calls, click Download Project on the API Debugging page.
To call API operations directly without an SDK, use any HTTP development or testing tool. See Alibaba Cloud IDaaS API operations for the full list.
API operations
The following table lists the available API operations. For full parameter details, see the API reference.
| Category | Operation | API name | Required permission |
|---|---|---|---|
| Token | Get an access token | GenerateToken | — |
| Account | Create an account | CreateUser | urn:alibaba:idaas:scope:user:manager_all |
| Update an account | PatchUser | urn:alibaba:idaas:scope:user:manager_all | |
| Delete an account | DeleteUser | urn:alibaba:idaas:scope:user:manager_all | |
| Enable an account | EnableUser | urn:alibaba:idaas:scope:user:manager_all | |
| Disable an account | DisableUser | urn:alibaba:idaas:scope:user:manager_all | |
| Get account details | GetUser | urn:alibaba:idaas:scope:user:read_all | |
| List accounts | ListUsers | urn:alibaba:idaas:scope:user:read_all | |
| Get the password policy | GetUserPasswordPolicy | urn:alibaba:idaas:scope:user:read_all | |
| Organizational unit | Create an organizational unit | CreateOrganizationalUnit | urn:alibaba:idaas:scope:organizational_unit:manager_all |
| Update an organizational unit | PatchOrganizationalUnit | urn:alibaba:idaas:scope:organizational_unit:manager_all | |
| Delete an organizational unit | DeleteOrganizationalUnit | urn:alibaba:idaas:scope:organizational_unit:manager_all | |
| Get organizational unit details | GetOrganizationalUnit | urn:alibaba:idaas:scope:organizational_unit:read_all | |
| List organizational units | ListOrganizationalUnits | urn:alibaba:idaas:scope:organizational_unit:read_all | |
| List parent IDs of an organizational unit | ListOrganizationalUnitParentIds | urn:alibaba:idaas:scope:organizational_unit:read_all | |
| Synchronization scope | Get the synchronization scope | GetApplicationProvisioningScope | — |