IDaaS provides a Developer API for application developers to call.
You can use this API to synchronize accounts and organizational units with IDaaS. This helps you automate lifecycle management, including employee onboarding, offboarding, and role changes.
IDaaS administrators have full control over application management. They can enable or disable the API for specific applications and define its access scope.
Enable the API
You can enable or disable API calls for a specific application in the Developer API tab.
This page has a toggle to enable or disable the Developer API. At the top of the page, a message directs you to the Developer API Guide for applications.
After you enable the API, provide the client_id and client_secret from the General Settings tab to the application developer. Once you configure the necessary permissions, the developer can start calling the API.
API permissions
Administrators can assign API permissions to a specific application.
Note: Unlike Alibaba Cloud OpenAPI, the IDaaS Developer API relies on the application's credentials (client_id and client_secret) within IDaaS. API call permissions are assigned within the IDaaS application management console and are not dependent on RAM.
In the Developer API tab, you can select use cases to enable the corresponding APIs for your application.
The account and organizational unit use cases include the following permissions: Query account information (permission value urn:alibaba:idaas:scope:user:read_all, corresponding to the GetUser, GetUserIdByExternalId, ListUsers, and GetUserPasswordPolicy APIs); Manage users (permission value urn:alibaba:idaas:scope:user:manage_all, corresponding to the CreateUser, PatchUser, and DeleteUser APIs); Query organizational unit information (permission value urn:alibaba:idaas:scope:organizational_unit:read_all, corresponding to the GetOrganizationalUnit, GetOrganizationalUnitIdByExternalId, ListOrganizationalUnits, and ListOrganizationalUnitParentIds APIs); and Manage organizational units (permission value urn:alibaba:idaas:scope:organizational_unit:manage_all, corresponding to the CreateOrganizationalUnit, PatchOrganizationalUnit, and DeleteOrganizationalUnit APIs). Select the permissions required by your business.
Data permission
The Synchronization Scope configured in the Account Synchronization tab also applies, limiting the data that the API can access and modify.
In this example, the Synchronization Scope is set to Alibaba Cloud IDaaS.
When an application uses the API to create or query resources, it is limited to the specified Synchronization Scope.
To manage the Synchronization Scope, go to the Account Synchronization tab.
API integration
For integration documentation, see the Developer API Guide for applications.
IDaaS provides SDKs for multiple languages. You can download the SDKs, view sample code, and test API calls directly on the Alibaba Cloud OpenAPI Developer Portal.