--- Title: Manage access URL Source: https://company-skill.com/p/idaas/idaas-manage-access Language: en Description: You want to grant or revoke access to an IDaaS-registered application for specific users, groups, or organizational units by assigning appropriate roles. This includes both one-off manual assignments… --- # Manage access Part of **IDaaS (Identity as a Service)**. Route queries via `POST https://company-skill.com/api/route`. ## What You Want to Do You want to grant or revoke access to an IDaaS-registered application for specific users, groups, or organizational units by assigning appropriate roles. This includes both one-off manual assignments and large-scale automated permission management. **Typical User Questions**: - How do I assign roles to users in an IDaaS application? - Can I control which organizational units can access an app? ## Decision Tree Pick the best path for your situation: - **If** you need to assign roles to fewer than ~50 users or groups interactively using a graphical interface → Use (go to *idaas/idaas-identity*) - **If** you require automation (e.g., onboarding/offboarding sync) or must manage permissions for hundreds/thousands of users → Use API (go to *idaas/idaas-identity*) - **If** your use case involves integration with an external HR or identity system requiring real-time permission synchronization → Use API (go to *idaas/idaas-identity*) - **Otherwise (default)** → Start with **** if you're an administrator performing occasional, small-scale permission changes without development resources. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | Console / Dashboard | low | No | No | Does not support bulk operations for large user sets | `idaas/guide/idaas-identity` | | API | medium | Yes | Yes | Enforces 100 QPS rate limit per application | `idaas/api/idaas-identity` | ## Path Details ### Path 1: Console / Dashboard **Brief Description**: Alibaba Cloud IDaaS provides a graphical interface under **Application Authorization** where administrators can use **User/Group Search**, **Assign Roles**, and **Edit Permissions** to manage access. This path requires **administrative privileges** and only works for applications already **registered application** in the IDaaS system. **Key technical facts**: - Auth method: Console SSO **When to Use**: - Needing to interactively assign application roles to a small number of users or groups - Preferring an intuitive graphical interface for permission management - Not requiring integration with external systems or automated workflows **When NOT to Use**: - Needing programmatic management of large-scale user authorizations - Requiring automatic synchronization of permissions with external systems - Needing batch operations or automation pipelines ### Path 2: API **Brief Description**: The **CIAM API** suite offers standardized **RESTful APIs** that use **bearerToken** authentication via **Authorization: Bearer $ACCESS_TOKEN** headers. To call these APIs, you must first register your application in the CIAM console and obtain **client_id** and **client_secret** credentials, then implement **OAuth 2.0** flows to acquire access tokens. **Key technical facts**: - Auth method: Bearer Token - Rate limit: 100 QPS per application **When to Use**: - Needing programmatic management of large user authorization sets - Requiring permission synchronization with external identity or HR systems - Needing automated batch operations (e.g., during employee onboarding) **When NOT to Use**: - Only assigning roles to a few users interactively - Lacking development resources to implement API integration - Not needing external system integration ## FAQ Q: Which path should I start with? A: Start with **** if you’re an admin making occasional, small-scale changes (<50 users) and lack engineering support. Switch to the API only when you hit scalability or automation needs. Q: What if I need to onboard 500 new employees weekly but used the console? A: You’ll hit the limitation “” — manually assigning roles at that scale is impractical and error-prone. Q: What if I built an integration using the API but exceeded 100 QPS? A: You’ll receive HTTP 429 errors (“”) due to the hard **100 QPS** rate limit per application, requiring retry logic or request throttling. Q: Can I use the console to assign roles based on organizational unit membership? A: Yes — the **User/Group Search** and **Role Assignment** features support selecting organizational units, but only interactively and without automation. Q: Do I need special credentials for the API approach? A: Yes — you must obtain **client_id** and **client_secret** from the CIAM console and implement **OAuth 2.0** to generate a **bearerToken** for the **Authorization: Bearer** header. Q: Is OIDC required for the API path? A: While **OIDC** may be used in broader identity flows, the core authorization API relies on **OAuth 2.0**-issued **bearerToken** for authentication — ensure your integration handles token acquisition correctly. ## Related queries manage app access, assign app roles, grant application permissions, control who can access app, configure app authorization, Application Authorization, Edit Permissions, Assign Roles, Role Assignment, User/Group Search, CIAM API, bearerToken, client_id, client_secret, RESTful APIs, OAuth 2.0, how to --- Part of [IDaaS (Identity as a Service)](https://company-skill.com/p/idaas.md) · https://company-skill.com/llms.txt