This topic describes the application management of other Alibaba Cloud services in IDaaS. If you do not use other Alibaba Cloud services that depend on IDaaS, you can skip this topic.
Alibaba Cloud IDaaS is committed to providing secure identity services for the Alibaba Cloud ecosystem. Therefore, stable IDaaS services and application configurations are important to customers.
Guided by the principle that the user who creates a resource must manage and destroy the resource, the lifecycle of application resources is managed in cloud services. Operations including application creation, configuration, management, and deletion are performed in the cloud service. Applications cannot be managed in IDaaS.
For example, Alibaba Cloud services are displayed first as ecosystem partners in the marketplace. These services cannot be created in IDaaS and must be created in the corresponding console. Then, you can bind these services to IDaaS instances by using the user management feature to create applications in IDaaS. The following figure shows how Alibaba Cloud RPA is displayed in the IDaaS marketplace.
The lifecycle of a cloud service application is managed in the cloud service, and different permissions are required to use different OpenAPI operations and features. When a regular user attempts to perform unauthorized operations on the application of the cloud service, the InvalidOperation.ResourceManagedByCloudProduct error code is returned.
The following table describes the permissions for API operations.
Operation description | OpenAPI | Use your Alibaba Cloud account to call this operation | Use the cloud service that hosts the application to call this operation |
Updates the name and logo of the application. | UpdateApplicationInfo | No | Yes |
Updates the description of the application. | UpdateApplicationDescription | Yes | Yes |
Deletes the application. | DeleteApplication | No | Yes |
Enables the application. | EnableApplication | No | Yes |
Disables the application. | DisableApplication | No | Yes |
Enables single sign-on (SSO) for the application. | EnableApplicationSso | No | Yes |
Sets the SSO configurations of the application. | SetApplicationSsoConfig | No | Yes |
Disables SSO for the application. | DisableApplicationSso | No | Yes |
Sets the account synchronization scope for the application. | SetApplicationProvisioningScope | No | Yes |
Sets the account synchronization configurations of the application. | SetApplicationProvisioningConfig | No | Yes |
Disables account synchronization for the application. | DisableApplicationProvisioning | No | Yes |
Enables account synchronization for the application. | EnableApplicationProvisioning | No | Yes |
Disables the Developer API operations of the application. | DisableApplicationApiInvoke | No | Yes |
Enables the Developer API operations of the application. | EnableApplicationApiInvoke | No | Yes |
Sets the scope of the Developer API operations of the application. | SetApplicationGrantScope | No | Yes |
Creates the client secret of the application. | CreateApplicationClientSecret | No | Yes |
Deletes the client secret of the application. | DeleteApplicationClientSecret | No | Yes |
Queries the client secret of the application. | ObtainApplicationClientSecret | No | Yes |
Enables the client secret of the application. | EnableApplicationClientSecret | No | Yes |
Disables the client secret of the application. | DisableApplicationClientSecret | No | Yes |
Other operations of the application and read-only operations. | Yes | Yes |