Policy configuration

Warning

JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Configuration

The following is an overview of all available policies in Keystone.

For a sample configuration file, refer to policy.yaml.

keystone

admin_required
Default:

role:admin or is_admin:1

(no description provided)

service_role
Default:

role:service

(no description provided)

service_or_admin
Default:

rule:admin_required or rule:service_role

(no description provided)

owner
Default:

user_id:%(user_id)s

(no description provided)

admin_or_owner
Default:

rule:admin_required or rule:owner

(no description provided)

token_subject
Default:

user_id:%(target.token.user_id)s

(no description provided)

admin_or_token_subject
Default:

rule:admin_required or rule:token_subject

(no description provided)

service_admin_or_token_subject
Default:

rule:service_or_admin or rule:token_subject

(no description provided)

identity:get_access_rule
Default:

(role:reader and system_scope:all) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}/access_rules/{access_rule_id}

  • HEAD /v3/users/{user_id}/access_rules/{access_rule_id}

Scope Types:

  • system

  • project

Show access rule details.

identity:list_access_rules
Default:

(role:reader and system_scope:all) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}/access_rules

  • HEAD /v3/users/{user_id}/access_rules

Scope Types:

  • system

  • project

List access rules for a user.

identity:delete_access_rule
Default:

(role:admin and system_scope:all) or user_id:%(target.user.id)s

Operations:

  • DELETE /v3/users/{user_id}/access_rules/{access_rule_id}

Scope Types:

  • system

  • project

Delete an access_rule.

identity:authorize_request_token
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-OAUTH1/authorize/{request_token_id}

Scope Types:

  • project

Authorize OAUTH1 request token.

identity:get_access_token
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Scope Types:

  • project

Get OAUTH1 access token for user by access token ID.

identity:get_access_token_role
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}

Scope Types:

  • project

Get role for user OAUTH1 access token.

identity:list_access_tokens
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens

Scope Types:

  • project

List OAUTH1 access tokens for user.

identity:list_access_token_roles
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles

Scope Types:

  • project

List OAUTH1 access token roles.

identity:delete_access_token
Default:

rule:admin_required

Operations:

  • DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Scope Types:

  • project

Delete OAUTH1 access token.

identity:get_application_credential
Default:

(role:reader and system_scope:all) or rule:owner

Operations:

  • GET /v3/users/{user_id}/application_credentials/{application_credential_id}

  • HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}

Scope Types:

  • system

  • project

Show application credential details.

identity:list_application_credentials
Default:

(role:reader and system_scope:all) or rule:owner

Operations:

  • GET /v3/users/{user_id}/application_credentials

  • HEAD /v3/users/{user_id}/application_credentials

Scope Types:

  • system

  • project

List application credentials for a user.

identity:create_application_credential
Default:

user_id:%(user_id)s

Operations:

  • POST /v3/users/{user_id}/application_credentials

Scope Types:

  • project

Create an application credential.

identity:delete_application_credential
Default:

(role:admin and system_scope:all) or rule:owner

Operations:

  • DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}

Scope Types:

  • system

  • project

Delete an application credential.

identity:get_auth_catalog
Default:

<empty string>

Operations:

  • GET /v3/auth/catalog

  • HEAD /v3/auth/catalog

Get service catalog.

identity:get_auth_projects
Default:

<empty string>

Operations:

  • GET /v3/auth/projects

  • HEAD /v3/auth/projects

List all projects a user has access to via role assignments.

identity:get_auth_domains
Default:

<empty string>

Operations:

  • GET /v3/auth/domains

  • HEAD /v3/auth/domains

List all domains a user has access to via role assignments.

identity:get_auth_system
Default:

<empty string>

Operations:

  • GET /v3/auth/system

  • HEAD /v3/auth/system

List systems a user has access to via role assignments.

identity:get_consumer
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-OAUTH1/consumers/{consumer_id}

Scope Types:

  • system

Show OAUTH1 consumer details.

identity:list_consumers
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-OAUTH1/consumers

Scope Types:

  • system

List OAUTH1 consumers.

identity:create_consumer
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/OS-OAUTH1/consumers

Scope Types:

  • system

Create OAUTH1 consumer.

identity:update_consumer
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/OS-OAUTH1/consumers/{consumer_id}

Scope Types:

  • system

Update OAUTH1 consumer.

identity:delete_consumer
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-OAUTH1/consumers/{consumer_id}

Scope Types:

  • system

Delete OAUTH1 consumer.

identity:get_credential
Default:

(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • GET /v3/credentials/{credential_id}

Scope Types:

  • system

  • project

Show credentials details.

identity:list_credentials
Default:

(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • GET /v3/credentials

Scope Types:

  • system

  • project

List credentials.

identity:create_credential
Default:

(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • POST /v3/credentials

Scope Types:

  • system

  • project

Create credential.

identity:update_credential
Default:

(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • PATCH /v3/credentials/{credential_id}

Scope Types:

  • system

  • project

Update credential.

identity:delete_credential
Default:

(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • DELETE /v3/credentials/{credential_id}

Scope Types:

  • system

  • project

Delete credential.

identity:get_domain
Default:

(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s

Operations:

  • GET /v3/domains/{domain_id}

Scope Types:

  • system

  • domain

  • project

Show domain details.

identity:list_domains
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/domains

Scope Types:

  • system

List domains.

identity:create_domain
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/domains

Scope Types:

  • system

Create domain.

identity:update_domain
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/domains/{domain_id}

Scope Types:

  • system

Update domain.

identity:delete_domain
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/domains/{domain_id}

Scope Types:

  • system

Delete domain.

identity:create_domain_config
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/domains/{domain_id}/config

Scope Types:

  • system

Create domain configuration.

identity:get_domain_config
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/domains/{domain_id}/config

  • HEAD /v3/domains/{domain_id}/config

  • GET /v3/domains/{domain_id}/config/{group}

  • HEAD /v3/domains/{domain_id}/config/{group}

  • GET /v3/domains/{domain_id}/config/{group}/{option}

  • HEAD /v3/domains/{domain_id}/config/{group}/{option}

Scope Types:

  • system

Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.

identity:get_security_compliance_domain_config
Default:

<empty string>

Operations:

  • GET /v3/domains/{domain_id}/config/security_compliance

  • HEAD /v3/domains/{domain_id}/config/security_compliance

  • GET /v3/domains/{domain_id}/config/security_compliance/{option}

  • HEAD /v3/domains/{domain_id}/config/security_compliance/{option}

Scope Types:

  • system

  • domain

  • project

Get security compliance domain configuration for either a domain or a specific option in a domain.

identity:update_domain_config
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/domains/{domain_id}/config

  • PATCH /v3/domains/{domain_id}/config/{group}

  • PATCH /v3/domains/{domain_id}/config/{group}/{option}

Scope Types:

  • system

Update domain configuration for either a domain, specific group or a specific option in a group.

identity:delete_domain_config
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/domains/{domain_id}/config

  • DELETE /v3/domains/{domain_id}/config/{group}

  • DELETE /v3/domains/{domain_id}/config/{group}/{option}

Scope Types:

  • system

Delete domain configuration for either a domain, specific group or a specific option in a group.

identity:get_domain_config_default
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/domains/config/default

  • HEAD /v3/domains/config/default

  • GET /v3/domains/config/{group}/default

  • HEAD /v3/domains/config/{group}/default

  • GET /v3/domains/config/{group}/{option}/default

  • HEAD /v3/domains/config/{group}/{option}/default

Scope Types:

  • system

Get domain configuration default for either a domain, specific group or a specific option in a group.

identity:ec2_get_credential
Default:

(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Scope Types:

  • system

  • project

Show ec2 credential details.

identity:ec2_list_credentials
Default:

(role:reader and system_scope:all) or rule:owner

Operations:

  • GET /v3/users/{user_id}/credentials/OS-EC2

Scope Types:

  • system

  • project

List ec2 credentials.

identity:ec2_create_credential
Default:

(role:admin and system_scope:all) or rule:owner

Operations:

  • POST /v3/users/{user_id}/credentials/OS-EC2

Scope Types:

  • system

  • project

Create ec2 credential.

identity:ec2_delete_credential
Default:

(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Scope Types:

  • system

  • project

Delete ec2 credential.

identity:get_endpoint
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/endpoints/{endpoint_id}

Scope Types:

  • system

Show endpoint details.

identity:list_endpoints
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/endpoints

Scope Types:

  • system

List endpoints.

identity:create_endpoint
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/endpoints

Scope Types:

  • system

Create endpoint.

identity:update_endpoint
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/endpoints/{endpoint_id}

Scope Types:

  • system

Update endpoint.

identity:delete_endpoint
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/endpoints/{endpoint_id}

Scope Types:

  • system

Delete endpoint.

identity:create_endpoint_group
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/OS-EP-FILTER/endpoint_groups

Scope Types:

  • system

Create endpoint group.

identity:list_endpoint_groups
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups

Scope Types:

  • system

List endpoint groups.

identity:get_endpoint_group
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Scope Types:

  • system

Get endpoint group.

identity:update_endpoint_group
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Scope Types:

  • system

Update endpoint group.

identity:delete_endpoint_group
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Scope Types:

  • system

Delete endpoint group.

identity:list_projects_associated_with_endpoint_group
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects

Scope Types:

  • system

List all projects associated with a specific endpoint group.

identity:list_endpoints_associated_with_endpoint_group
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints

Scope Types:

  • system

List all endpoints associated with an endpoint group.

identity:get_endpoint_group_in_project
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Scope Types:

  • system

Check if an endpoint group is associated with a project.

identity:list_endpoint_groups_for_project
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups

Scope Types:

  • system

List endpoint groups associated with a specific project.

identity:add_endpoint_group_to_project
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Scope Types:

  • system

Allow a project to access an endpoint group.

identity:remove_endpoint_group_from_project
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Scope Types:

  • system

Remove endpoint group from project.

identity:check_grant
Default:

(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)

Operations:

  • HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Scope Types:

  • system

  • domain

Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:list_grants
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)

Operations:

  • GET /v3/projects/{project_id}/users/{user_id}/roles

  • HEAD /v3/projects/{project_id}/users/{user_id}/roles

  • GET /v3/projects/{project_id}/groups/{group_id}/roles

  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles

  • GET /v3/domains/{domain_id}/users/{user_id}/roles

  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles

  • GET /v3/domains/{domain_id}/groups/{group_id}/roles

  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles

  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects

Scope Types:

  • system

  • domain

List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.

identity:create_grant
Default:

(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)

Operations:

  • PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Scope Types:

  • system

  • domain

Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:revoke_grant
Default:

(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)

Operations:

  • DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Scope Types:

  • system

  • domain

Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.

identity:list_system_grants_for_user
Default:

role:reader and system_scope:all

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles

Scope Types:

  • system

List all grants a specific user has on the system.

identity:check_system_grant_for_user
Default:

role:reader and system_scope:all

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles/{role_id}

Scope Types:

  • system

Check if a user has a role on the system.

identity:create_system_grant_for_user
Default:

role:admin and system_scope:all

Operations:

  • [‘PUT’] /v3/system/users/{user_id}/roles/{role_id}

Scope Types:

  • system

Grant a user a role on the system.

identity:revoke_system_grant_for_user
Default:

role:admin and system_scope:all

Operations:

  • [‘DELETE’] /v3/system/users/{user_id}/roles/{role_id}

Scope Types:

  • system

Remove a role from a user on the system.

identity:list_system_grants_for_group
Default:

role:reader and system_scope:all

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles

Scope Types:

  • system

List all grants a specific group has on the system.

identity:check_system_grant_for_group
Default:

role:reader and system_scope:all

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles/{role_id}

Scope Types:

  • system

Check if a group has a role on the system.

identity:create_system_grant_for_group
Default:

role:admin and system_scope:all

Operations:

  • [‘PUT’] /v3/system/groups/{group_id}/roles/{role_id}

Scope Types:

  • system

Grant a group a role on the system.

identity:revoke_system_grant_for_group
Default:

role:admin and system_scope:all

Operations:

  • [‘DELETE’] /v3/system/groups/{group_id}/roles/{role_id}

Scope Types:

  • system

Remove a role from a group on the system.

identity:get_group
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)

Operations:

  • GET /v3/groups/{group_id}

  • HEAD /v3/groups/{group_id}

Scope Types:

  • system

  • domain

Show group details.

identity:list_groups
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)

Operations:

  • GET /v3/groups

  • HEAD /v3/groups

Scope Types:

  • system

  • domain

List groups.

identity:list_groups_for_user
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s

Operations:

  • GET /v3/users/{user_id}/groups

  • HEAD /v3/users/{user_id}/groups

Scope Types:

  • system

  • domain

  • project

List groups to which a user belongs.

identity:create_group
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)

Operations:

  • POST /v3/groups

Scope Types:

  • system

  • domain

Create group.

identity:update_group
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)

Operations:

  • PATCH /v3/groups/{group_id}

Scope Types:

  • system

  • domain

Update group.

identity:delete_group
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)

Operations:

  • DELETE /v3/groups/{group_id}

Scope Types:

  • system

  • domain

Delete group.

identity:list_users_in_group
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)

Operations:

  • GET /v3/groups/{group_id}/users

  • HEAD /v3/groups/{group_id}/users

Scope Types:

  • system

  • domain

List members of a specific group.

identity:remove_user_from_group
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)

Operations:

  • DELETE /v3/groups/{group_id}/users/{user_id}

Scope Types:

  • system

  • domain

Remove user from group.

identity:check_user_in_group
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)

Operations:

  • HEAD /v3/groups/{group_id}/users/{user_id}

  • GET /v3/groups/{group_id}/users/{user_id}

Scope Types:

  • system

  • domain

Check whether a user is a member of a group.

identity:add_user_to_group
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)

Operations:

  • PUT /v3/groups/{group_id}/users/{user_id}

Scope Types:

  • system

  • domain

Add user to group.

identity:create_identity_provider
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

Create identity provider.

identity:list_identity_providers
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/identity_providers

  • HEAD /v3/OS-FEDERATION/identity_providers

Scope Types:

  • system

List identity providers.

identity:get_identity_provider
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}

  • HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

Get identity provider.

identity:update_identity_provider
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

Update identity provider.

identity:delete_identity_provider
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

Delete identity provider.

identity:get_implied_role
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:list_implied_roles
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/roles/{prior_role_id}/implies

  • HEAD /v3/roles/{prior_role_id}/implies

Scope Types:

  • system

List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.

identity:create_implied_role
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:delete_implied_role
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.

identity:list_role_inference_rules
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/role_inferences

  • HEAD /v3/role_inferences

Scope Types:

  • system

List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:check_implied_role
Default:

role:reader and system_scope:all

Operations:

  • HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:get_limit_model
Default:

<empty string>

Operations:

  • GET /v3/limits/model

  • HEAD /v3/limits/model

Scope Types:

  • system

  • domain

  • project

Get limit enforcement model.

identity:get_limit
Default:

(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)

Operations:

  • GET /v3/limits/{limit_id}

  • HEAD /v3/limits/{limit_id}

Scope Types:

  • system

  • domain

  • project

Show limit details.

identity:list_limits
Default:

<empty string>

Operations:

  • GET /v3/limits

  • HEAD /v3/limits

Scope Types:

  • system

  • domain

  • project

List limits.

identity:create_limits
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/limits

Scope Types:

  • system

Create limits.

identity:update_limit
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/limits/{limit_id}

Scope Types:

  • system

Update limit.

identity:delete_limit
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/limits/{limit_id}

Scope Types:

  • system

Delete limit.

identity:create_mapping
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

Create a new federated mapping containing one or more sets of rules.

identity:get_mapping
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/mappings/{mapping_id}

  • HEAD /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

Get a federated mapping.

identity:list_mappings
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/mappings

  • HEAD /v3/OS-FEDERATION/mappings

Scope Types:

  • system

List federated mappings.

identity:delete_mapping
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

Delete a federated mapping.

identity:update_mapping
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

Update a federated mapping.

identity:get_policy
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/policies/{policy_id}

Scope Types:

  • system

Show policy details.

identity:list_policies
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/policies

Scope Types:

  • system

List policies.

identity:create_policy
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/policies

Scope Types:

  • system

Create policy.

identity:update_policy
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/policies/{policy_id}

Scope Types:

  • system

Update policy.

identity:delete_policy
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/policies/{policy_id}

Scope Types:

  • system

Delete policy.

identity:create_policy_association_for_endpoint
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Scope Types:

  • system

Associate a policy to a specific endpoint.

identity:check_policy_association_for_endpoint
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Scope Types:

  • system

Check policy association for endpoint.

identity:delete_policy_association_for_endpoint
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Scope Types:

  • system

Delete policy association for endpoint.

identity:create_policy_association_for_service
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Scope Types:

  • system

Associate a policy to a specific service.

identity:check_policy_association_for_service
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Scope Types:

  • system

Check policy association for service.

identity:delete_policy_association_for_service
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Scope Types:

  • system

Delete policy association for service.

identity:create_policy_association_for_region_and_service
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Scope Types:

  • system

Associate a policy to a specific region and service combination.

identity:check_policy_association_for_region_and_service
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Scope Types:

  • system

Check policy association for region and service.

identity:delete_policy_association_for_region_and_service
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Scope Types:

  • system

Delete policy association for region and service.

identity:get_policy_for_endpoint
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

  • HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

Scope Types:

  • system

Get policy for endpoint.

identity:list_endpoints_for_policy
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

Scope Types:

  • system

List endpoints for policy.

identity:get_project
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s

Operations:

  • GET /v3/projects/{project_id}

Scope Types:

  • system

  • domain

  • project

Show project details.

identity:list_projects
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/projects

Scope Types:

  • system

  • domain

List projects.

identity:list_user_projects
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}/projects

Scope Types:

  • system

  • domain

  • project

List projects for user.

identity:create_project
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)

Operations:

  • POST /v3/projects

Scope Types:

  • system

  • domain

Create project.

identity:update_project
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)

Operations:

  • PATCH /v3/projects/{project_id}

Scope Types:

  • system

  • domain

Update project.

identity:delete_project
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)

Operations:

  • DELETE /v3/projects/{project_id}

Scope Types:

  • system

  • domain

Delete project.

identity:list_project_tags
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s

Operations:

  • GET /v3/projects/{project_id}/tags

  • HEAD /v3/projects/{project_id}/tags

Scope Types:

  • system

  • domain

  • project

List tags for a project.

identity:get_project_tag
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s

Operations:

  • GET /v3/projects/{project_id}/tags/{value}

  • HEAD /v3/projects/{project_id}/tags/{value}

Scope Types:

  • system

  • domain

  • project

Check if project contains a tag.

identity:update_project_tags
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)

Operations:

  • PUT /v3/projects/{project_id}/tags

Scope Types:

  • system

  • domain

  • project

Replace all tags on a project with the new set of tags.

identity:create_project_tag
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)

Operations:

  • PUT /v3/projects/{project_id}/tags/{value}

Scope Types:

  • system

  • domain

  • project

Add a single tag to a project.

identity:delete_project_tags
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)

Operations:

  • DELETE /v3/projects/{project_id}/tags

Scope Types:

  • system

  • domain

  • project

Remove all tags from a project.

identity:delete_project_tag
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)

Operations:

  • DELETE /v3/projects/{project_id}/tags/{value}

Scope Types:

  • system

  • domain

  • project

Delete a specified tag from project.

identity:list_projects_for_endpoint
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects

Scope Types:

  • system

List projects allowed to access an endpoint.

identity:add_endpoint_to_project
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Scope Types:

  • system

Allow project to access an endpoint.

identity:check_endpoint_in_project
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

  • HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Scope Types:

  • system

Check if a project is allowed to access an endpoint.

identity:list_endpoints_for_project
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints

Scope Types:

  • system

List the endpoints a project is allowed to access.

identity:remove_endpoint_from_project
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Scope Types:

  • system

Remove access to an endpoint from a project that has previously been given explicit access.

identity:create_protocol
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

Create federated protocol.

identity:update_protocol
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

Update federated protocol.

identity:get_protocol
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

Get federated protocol.

identity:list_protocols
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

Scope Types:

  • system

List federated protocols.

identity:delete_protocol
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

Delete federated protocol.

identity:get_region
Default:

<empty string>

Operations:

  • GET /v3/regions/{region_id}

  • HEAD /v3/regions/{region_id}

Scope Types:

  • system

  • domain

  • project

Show region details.

identity:list_regions
Default:

<empty string>

Operations:

  • GET /v3/regions

  • HEAD /v3/regions

Scope Types:

  • system

  • domain

  • project

List regions.

identity:create_region
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/regions

  • PUT /v3/regions/{region_id}

Scope Types:

  • system

Create region.

identity:update_region
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/regions/{region_id}

Scope Types:

  • system

Update region.

identity:delete_region
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/regions/{region_id}

Scope Types:

  • system

Delete region.

identity:get_registered_limit
Default:

<empty string>

Operations:

  • GET /v3/registered_limits/{registered_limit_id}

  • HEAD /v3/registered_limits/{registered_limit_id}

Scope Types:

  • system

  • domain

  • project

Show registered limit details.

identity:list_registered_limits
Default:

<empty string>

Operations:

  • GET /v3/registered_limits

  • HEAD /v3/registered_limits

Scope Types:

  • system

  • domain

  • project

List registered limits.

identity:create_registered_limits
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/registered_limits

Scope Types:

  • system

Create registered limits.

identity:update_registered_limit
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/registered_limits/{registered_limit_id}

Scope Types:

  • system

Update registered limit.

identity:delete_registered_limit
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/registered_limits/{registered_limit_id}

Scope Types:

  • system

Delete registered limit.

identity:list_revoke_events
Default:

rule:service_or_admin

Operations:

  • GET /v3/OS-REVOKE/events

Scope Types:

  • system

List revocation events.

identity:get_role
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/roles/{role_id}

  • HEAD /v3/roles/{role_id}

Scope Types:

  • system

Show role details.

identity:list_roles
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/roles

  • HEAD /v3/roles

Scope Types:

  • system

List roles.

identity:create_role
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/roles

Scope Types:

  • system

Create role.

identity:update_role
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/roles/{role_id}

Scope Types:

  • system

Update role.

identity:delete_role
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/roles/{role_id}

Scope Types:

  • system

Delete role.

identity:get_domain_role
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/roles/{role_id}

  • HEAD /v3/roles/{role_id}

Scope Types:

  • system

Show domain role.

identity:list_domain_roles
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/roles?domain_id={domain_id}

  • HEAD /v3/roles?domain_id={domain_id}

Scope Types:

  • system

List domain roles.

identity:create_domain_role
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/roles

Scope Types:

  • system

Create domain role.

identity:update_domain_role
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/roles/{role_id}

Scope Types:

  • system

Update domain role.

identity:delete_domain_role
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/roles/{role_id}

Scope Types:

  • system

Delete domain role.

identity:list_role_assignments
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/role_assignments

  • HEAD /v3/role_assignments

Scope Types:

  • system

  • domain

List role assignments.

identity:list_role_assignments_for_tree
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)

Operations:

  • GET /v3/role_assignments?include_subtree

  • HEAD /v3/role_assignments?include_subtree

Scope Types:

  • system

  • domain

  • project

List all role assignments for a given tree of hierarchical projects.

identity:get_service
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/services/{service_id}

Scope Types:

  • system

Show service details.

identity:list_services
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/services

Scope Types:

  • system

List services.

identity:create_service
Default:

role:admin and system_scope:all

Operations:

  • POST /v3/services

Scope Types:

  • system

Create service.

identity:update_service
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/services/{service_id}

Scope Types:

  • system

Update service.

identity:delete_service
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/services/{service_id}

Scope Types:

  • system

Delete service.

identity:create_service_provider
Default:

role:admin and system_scope:all

Operations:

  • PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

Create federated service provider.

identity:list_service_providers
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/service_providers

  • HEAD /v3/OS-FEDERATION/service_providers

Scope Types:

  • system

List federated service providers.

identity:get_service_provider
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-FEDERATION/service_providers/{service_provider_id}

  • HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

Get federated service provider.

identity:update_service_provider
Default:

role:admin and system_scope:all

Operations:

  • PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

Update federated service provider.

identity:delete_service_provider
Default:

role:admin and system_scope:all

Operations:

  • DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

Delete federated service provider.

identity:revocation_list
Default:

rule:service_or_admin

Operations:

  • GET /v3/auth/tokens/OS-PKI/revoked

Scope Types:

  • system

  • project

List revoked PKI tokens.

identity:check_token
Default:

(role:reader and system_scope:all) or rule:token_subject

Operations:

  • HEAD /v3/auth/tokens

Scope Types:

  • system

  • domain

  • project

Check a token.

identity:validate_token
Default:

(role:reader and system_scope:all) or rule:service_role or rule:token_subject

Operations:

  • GET /v3/auth/tokens

Scope Types:

  • system

  • domain

  • project

Validate a token.

identity:revoke_token
Default:

(role:admin and system_scope:all) or rule:token_subject

Operations:

  • DELETE /v3/auth/tokens

Scope Types:

  • system

  • domain

  • project

Revoke a token.

identity:create_trust
Default:

user_id:%(trust.trustor_user_id)s

Operations:

  • POST /v3/OS-TRUST/trusts

Scope Types:

  • project

Create trust.

identity:list_trusts
Default:

role:reader and system_scope:all

Operations:

  • GET /v3/OS-TRUST/trusts

  • HEAD /v3/OS-TRUST/trusts

Scope Types:

  • system

List trusts.

identity:list_trusts_for_trustor
Default:

role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s

Operations:

  • GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}

  • HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}

Scope Types:

  • system

  • project

List trusts for trustor.

identity:list_trusts_for_trustee
Default:

role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s

Operations:

  • GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}

  • HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}

Scope Types:

  • system

  • project

List trusts for trustee.

identity:list_roles_for_trust
Default:

role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s

Operations:

  • GET /v3/OS-TRUST/trusts/{trust_id}/roles

  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles

Scope Types:

  • system

  • project

List roles delegated by a trust.

identity:get_role_for_trust
Default:

role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s

Operations:

  • GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}

  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}

Scope Types:

  • system

  • project

Check if trust delegates a particular role.

identity:delete_trust
Default:

role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s

Operations:

  • DELETE /v3/OS-TRUST/trusts/{trust_id}

Scope Types:

  • system

  • project

Revoke trust.

identity:get_trust
Default:

role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s

Operations:

  • GET /v3/OS-TRUST/trusts/{trust_id}

  • HEAD /v3/OS-TRUST/trusts/{trust_id}

Scope Types:

  • system

  • project

Get trust.

identity:get_user
Default:

(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}

  • HEAD /v3/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Show user details.

identity:list_users
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/users

  • HEAD /v3/users

Scope Types:

  • system

  • domain

List users.

identity:list_projects_for_user
Default:

<empty string>

Operations:

  • GET `` /v3/auth/projects``

List all projects a user has access to via role assignments.

identity:list_domains_for_user
Default:

<empty string>

Operations:

  • GET /v3/auth/domains

List all domains a user has access to via role assignments.

identity:create_user
Default:

(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)

Operations:

  • POST /v3/users

Scope Types:

  • system

  • domain

Create a user.

identity:update_user
Default:

(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)

Operations:

  • PATCH /v3/users/{user_id}

Scope Types:

  • system

  • domain

Update a user, including administrative password resets.

identity:delete_user
Default:

(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)

Operations:

  • DELETE /v3/users/{user_id}

Scope Types:

  • system

  • domain

Delete a user.