> ## Documentation Index
> Fetch the complete documentation index at: https://enterprise-docs.dify.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Scope and Limitations

> What your external SSO session can and can't do, and how to request more access

When you sign in through external SSO, `difyctl` holds a scoped session that represents your corporate identity on your company's Dify host. It carries only the access your administrator granted you.

## What You Can Do

* **See the apps you're allowed to run.** [`difyctl get app`](/en/3.11.x/develop/cli/reference/apps#list-your-apps) lists the apps your administrator permitted for you, not every app on the host.
* **Inspect an app's inputs.** [`describe app`](/en/3.11.x/develop/cli/reference/apps#inspect-an-app) shows a permitted app's type and the inputs it expects, so you can build a correct invocation.
* **Run a permitted app.** [`run app`](/en/3.11.x/develop/cli/reference/apps#run-an-app) invokes it and prints the response, the same way an account user does.
* **Resume a paused workflow.** When a workflow you ran [pauses for human input](/en/3.11.x/develop/cli/reference/apps#when-a-workflow-pauses), [`resume app`](/en/3.11.x/develop/cli/reference/apps#resume-a-paused-workflow) continues it.
* **Work locally.** [`auth whoami`](/en/3.11.x/develop/cli/reference/auth-and-contexts#check-your-active-identity), [`version`](/en/3.11.x/develop/cli/reference/version), and [`help`](/en/3.11.x/develop/cli/reference/help) need no special access.

## What You Can't Do

Running the apps you were given is the full scope of your session. The rest of `difyctl` is out of reach:

* **No workspace.** An external SSO session isn't tied to a workspace, so [`get workspace`](/en/3.11.x/develop/cli/reference/workspaces) and `use workspace` don't apply, and neither does the `--workspace` flag.
* **No browsing beyond your permitted apps.** `get app` returns only what your administrator granted, and `-A` (all workspaces) doesn't apply. You can't list or reach other apps on the host.
* **No exporting or importing apps.**
* **No workspace or member management.**

## How Permission Errors Look

When you try something outside your scope, the server refuses it with an HTTP 403, which `difyctl` reports as a `server_4xx_other` error and exit code `1`.

This is distinct from a denied sign-in: `access_denied` (exit `4`) means the authorization itself was rejected during the browser step, not that a command fell outside your scope. See [Output Formats and Exit Codes](/en/3.11.x/develop/cli/reference/output-formats-and-exit-codes) for the full scheme.

## Asking for More Access

If you need an app that isn't in your list, or a capability that's out of scope, ask your Dify administrator. Access is granted on their side, so signing in again won't change what your session can reach until they update it.
