Add and manage team members, assign and reclaim seats, and monitor Credits usage in the Token Plan console or management platform.
Access
Alibaba Cloud accounts and RAM users: Sign in to the Token Plan console and manage your team on the My Subscriptions page: click Settings in the Team Edition card to edit organization name, sign-in method (SSO/DingTalk), and more; click Assign seats in the Subscription details area to manage members.
Before a RAM user uses Token Plan, the Alibaba Cloud account must complete both of the following:
-
In the RAM console, attach either
AliyunTokenPlanReadOnlyAccess(read-only) orAliyunTokenPlanFullAccess(full management) system policy to the RAM user. Choose one based on the actual scope required. -
On the Account Management page of the bailian console, assign the Administrator or Subscription plan role to the RAM user.
Members who joined via SSO or DingTalk: Sign in to the management platform through the address shared by the administrator. The address is available in the Basic Information section of the Settings page.
Roles and permissions
|
Role |
Permissions |
|
Owner |
Add or remove members, assign or reclaim seats, change member roles, view usage for all members and models |
|
Administrator |
Same as Owner. Assigned by the Owner and can be removed or demoted |
|
Member |
Use the API Key and Base URL assigned by the administrator to call models |
Member management
Add a member
-
Manual (API access only, no platform login): On the Members page, click Add Member, enter a username (letters, digits, underscores) and role. Click Assign Seat in the operation column and select a tier. The system generates an API Key. Share it with the Base URL so the member can call models.
-
SSO or DingTalk sign-in (members log in and manage their own seat and API Key): After SAML or DingTalk integration is configured, members sign in from the login page and join automatically.
Change a member's role
On the Members page, click Change Role in the target member's operation column. Select the new role (Administrator or Member) and save. The Owner role cannot be changed.
Reset API key
On the Members page, click Reset in the target member's operation column. The original API key is revoked immediately. Deliver the new key to the member.
Remove a member
On the Members page, click Remove from Organization in the target member's operation column. The seat is reclaimed and the API key is revoked immediately.
SAML integration
Integrate a corporate IdP (Alibaba Cloud IDaaS, Okta, Azure AD, ADFS, etc.) via SAML 2.0. Once configured, members sign in through the SSO entry on the login page with their IdP account and automatically join the organization.
SAML configuration
Prerequisite: Remove all members before editing SSO configuration.
-
Sign in to the Token Plan console. On the My Subscriptions page, click Settings in the Team Edition card and find the SSO Configuration section.
-
Obtain the IdP information (IdP Entity ID, IdP SSO URL, IdP Certificate) from the enterprise IdP. Click Edit, enter your custom SP Entity ID and the IdP information above, and save.
-
After saving, the system automatically generates the ACS URL. Enter the SP Entity ID and ACS URL into the enterprise IdP's SSO application configuration.
-
In the Basic Information section, copy the Management Platform Address and share it with your team. Members open the address and click the SSO sign-in option on the login page to join the organization.
Parameter reference
SP information (Model Studio side)
|
Parameter |
Description |
|
SP Entity ID |
A custom identifier for Model Studio in the SSO flow. Must also be entered in the enterprise IdP. |
|
ACS URL |
The endpoint that receives the IdP authentication response. Auto-generated after saving SSO configuration; enter it in the enterprise IdP. |
IdP information (Enterprise side, must be obtained from the enterprise IdP)
|
Parameter |
Description |
|
IdP Entity ID |
The enterprise IdP's unique identifier. |
|
IdP SSO URL |
The IdP login endpoint. Members are redirected here for authentication. |
|
IdP Certificate |
The IdP signing certificate, used to verify authentication responses. |
Configuration example: Alibaba Cloud IDaaS
Prerequisite: An Alibaba Cloud IDaaS EIAM instance is activated. If not, open the IDaaS console and click Create Free Instance.
-
Create a SAML application in IDaaS
In the IDaaS management platform, go to My Applications and click Add Application. Select Standard SAML 2.0, enter an application name, and create the application.
-
Obtain IdP information from IDaaS and enter it into Model Studio
In your IDaaS application, go to the Single Sign-On page and copy the IdP information from Application Configuration. In the Token Plan console, click Settings in the Team Edition card, find SSO Configuration, and click Edit. Enter your SP Entity ID and the IdP information below, then save:
IDaaS Application Configuration
Field in Model Studio
Description
IdP Unique Identifier (IdP Entity ID)
IdP Entity ID
IDaaS's unique identifier
IdP SSO URL (IdP Sign-in URL)
IdP SSO URL
The redirect URL for SSO authentication
Public Key Certificate
IdP Certificate
Click "Copy Certificate Content" to copy the certificate
-
Enter the SP Entity ID and ACS URL into IDaaS
After saving, Model Studio generates the ACS URL. In your IDaaS application, go to Login Access > Single Sign-On and enter these parameters:
Model Studio SP information
Field in IDaaS
Description
SP Entity ID
Application Unique Identifier (SP Entity ID)
Enter the SP Entity ID you defined in Model Studio
ACS URL
Single Sign-On URL (ACS URL)
Enter the ACS URL automatically generated by Model Studio
-
Create accounts and authorize in IDaaS
In the IDaaS management platform, go to Account Management and create accounts for team members.
In your SAML application, go to Login Access > Application Authorization and click Add Authorization. Select the accounts, groups, or organizational units that need SSO access. To add users later, repeat this step without reconfiguring SSO.
-
Share the management platform address with members
On the Settings page, copy the Management Platform Address from Basic Information and share it with members. Members open the address and click the SSO option to join.
DingTalk integration
For enterprises using DingTalk as their identity system. Once configured, members sign in through the DingTalk entry on the login page and automatically join the organization.
Prerequisite: A DingTalk enterprise exists and target members have been added to it.
-
Create a DingTalk internal application
In the DingTalk Open Platform, go to Application Development > Internal Application > DingTalk Application and click Create Application. Enter a name and description, then save.
-
Obtain application credentials
On the application details page, go to Basic Information > Credentials and Basic Information and record the Client ID and Client Secret (AppKey and AppSecret). You need them in the Token Plan console.
-
Configure the redirect domain
On the application details page, go to Development Configuration > Security Settings. Enter
https://account-enterprise.bailian.aliyunportal.com/api/v1/auth/dingtalk/callbackin Redirect URL (callback domain) and save. -
Enable contact read permissions
On the Permission Management page, enable Contact personal information read permission to identify members' DingTalk accounts during login.
-
Publish the application
Go to Application Release > Version Management and Release, then create and publish a new version.
-
Enter the credentials in the Token Plan console
On the My Subscriptions page of the Token Plan console, click Settings in the Team Edition card. Go to SSO Configuration, switch to the DingTalk tab, and enter the configuration name, DingTalk Application AppKey, and DingTalk Application AppSecret from step 2. Save.
-
Share the Management Platform Address with members
On the Settings page, copy the Management Platform Address from Basic Information and share it with team members. Members open the address and select DingTalk login to join.
Seat operations
View seat status
On the My Subscriptions page, the Team Seats area shows assigned and total counts per tier. The Subscription Details area shows each seat's status and expiration date.
Assign a seat
-
On the Members page, find the target member and click Assign Seat in the operation column.
-
In the dialog box, select a seat tier and click Confirm.
The system generates an API Key after assignment. Share it with the Base URL so the member can call models.
Reclaim a seat
On the Members page, click Reclaim Seat in the target member's operation column, then click Confirm to confirm. The seat returns to unassigned and the member loses access. Reassigning it generates a new API key.
Add seats
On the My Subscriptions page of the Token Plan console, click Add seats, select a seat tier and quantity, and submit the order.
New seats share the existing subscription's expiration date. The price is prorated for the remaining time. For example, if 15 days remain in the subscription period, adding a Standard seat costs only the amount corresponding to those 15 days.
Upgrade a seat
On the My Subscriptions page of the Token Plan console, find the target seat in Subscription Details and click Upgrade, then select a higher tier and submit the order. To upgrade multiple seats at once, select them and click Batch Upgrade.
The upgrade fee is the price difference between the two tiers, prorated for the remaining time. For example, upgrading a Standard seat to an Advanced seat requires paying only the price difference for the remaining subscription period.
Usage analysis
Available only on the Token Plan management platform. On the Usage Analysis page, an owner can view:
-
Usage trend: Credits consumption trend over the past 1, 7, or 30 days.
-
Model usage: Credits consumed per model within the organization.
-
Member usage: Credits consumed per member.
FAQ
Can the API key still be used after a seat expires?
No. After a seat expires, its API key stops working. Renew the plan and reassign the seat to restore access.
Can a reclaimed seat be assigned to another member?
Yes. After reclamation, the seat returns to unassigned. Reassigning it to another member generates a new API key.
Can the same member switch seats?
Each member can hold only one seat at a time. To switch, reclaim the current seat first, then assign a new one.