Policy configuration¶
Warning
JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Configuration¶
The following is an overview of all available policies in Keystone.
For a sample configuration file, refer to policy.yaml.
keystone¶
admin_required
- Default:
role:admin or is_admin:1
(no description provided)
service_role
- Default:
role:service
(no description provided)
service_or_admin
- Default:
rule:admin_required or rule:service_role
(no description provided)
owner
- Default:
user_id:%(user_id)s
(no description provided)
admin_or_owner
- Default:
rule:admin_required or rule:owner
(no description provided)
token_subject
- Default:
user_id:%(target.token.user_id)s
(no description provided)
admin_or_token_subject
- Default:
rule:admin_required or rule:token_subject
(no description provided)
service_admin_or_token_subject
- Default:
rule:service_or_admin or rule:token_subject
(no description provided)
identity:get_access_rule
- Default:
(role:reader and system_scope:all) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}/access_rules/{access_rule_id}
HEAD
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types:
system
project
Show access rule details.
identity:list_access_rules
- Default:
(role:reader and system_scope:all) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}/access_rules
HEAD
/v3/users/{user_id}/access_rules
- Scope Types:
system
project
List access rules for a user.
identity:delete_access_rule
- Default:
(role:admin and system_scope:all) or user_id:%(target.user.id)s
- Operations:
DELETE
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types:
system
project
Delete an access_rule.
identity:authorize_request_token
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-OAUTH1/authorize/{request_token_id}
- Scope Types:
project
Authorize OAUTH1 request token.
identity:get_access_token
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types:
project
Get OAUTH1 access token for user by access token ID.
identity:get_access_token_role
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
- Scope Types:
project
Get role for user OAUTH1 access token.
identity:list_access_tokens
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens
- Scope Types:
project
List OAUTH1 access tokens for user.
identity:list_access_token_roles
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
- Scope Types:
project
List OAUTH1 access token roles.
identity:delete_access_token
- Default:
rule:admin_required
- Operations:
DELETE
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types:
project
Delete OAUTH1 access token.
identity:get_application_credential
- Default:
(role:reader and system_scope:all) or rule:owner
- Operations:
GET
/v3/users/{user_id}/application_credentials/{application_credential_id}
HEAD
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types:
system
project
Show application credential details.
identity:list_application_credentials
- Default:
(role:reader and system_scope:all) or rule:owner
- Operations:
GET
/v3/users/{user_id}/application_credentials
HEAD
/v3/users/{user_id}/application_credentials
- Scope Types:
system
project
List application credentials for a user.
identity:create_application_credential
- Default:
user_id:%(user_id)s
- Operations:
POST
/v3/users/{user_id}/application_credentials
- Scope Types:
project
Create an application credential.
identity:delete_application_credential
- Default:
(role:admin and system_scope:all) or rule:owner
- Operations:
DELETE
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types:
system
project
Delete an application credential.
identity:get_auth_catalog
- Default:
<empty string>
- Operations:
GET
/v3/auth/catalog
HEAD
/v3/auth/catalog
Get service catalog.
identity:get_auth_projects
- Default:
<empty string>
- Operations:
GET
/v3/auth/projects
HEAD
/v3/auth/projects
List all projects a user has access to via role assignments.
identity:get_auth_domains
- Default:
<empty string>
- Operations:
GET
/v3/auth/domains
HEAD
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:get_auth_system
- Default:
<empty string>
- Operations:
GET
/v3/auth/system
HEAD
/v3/auth/system
List systems a user has access to via role assignments.
identity:get_consumer
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types:
system
Show OAUTH1 consumer details.
identity:list_consumers
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-OAUTH1/consumers
- Scope Types:
system
List OAUTH1 consumers.
identity:create_consumer
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/OS-OAUTH1/consumers
- Scope Types:
system
Create OAUTH1 consumer.
identity:update_consumer
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types:
system
Update OAUTH1 consumer.
identity:delete_consumer
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types:
system
Delete OAUTH1 consumer.
identity:get_credential
- Default:
(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
GET
/v3/credentials/{credential_id}
- Scope Types:
system
project
Show credentials details.
identity:list_credentials
- Default:
(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
GET
/v3/credentials
- Scope Types:
system
project
List credentials.
identity:create_credential
- Default:
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
POST
/v3/credentials
- Scope Types:
system
project
Create credential.
identity:update_credential
- Default:
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
PATCH
/v3/credentials/{credential_id}
- Scope Types:
system
project
Update credential.
identity:delete_credential
- Default:
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
DELETE
/v3/credentials/{credential_id}
- Scope Types:
system
project
Delete credential.
identity:get_domain
- Default:
(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s
- Operations:
GET
/v3/domains/{domain_id}
- Scope Types:
system
domain
project
Show domain details.
identity:list_domains
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/domains
- Scope Types:
system
List domains.
identity:create_domain
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/domains
- Scope Types:
system
Create domain.
identity:update_domain
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/domains/{domain_id}
- Scope Types:
system
Update domain.
identity:delete_domain
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/domains/{domain_id}
- Scope Types:
system
Delete domain.
identity:create_domain_config
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/domains/{domain_id}/config
- Scope Types:
system
Create domain configuration.
identity:get_domain_config
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/domains/{domain_id}/config
HEAD
/v3/domains/{domain_id}/config
GET
/v3/domains/{domain_id}/config/{group}
HEAD
/v3/domains/{domain_id}/config/{group}
GET
/v3/domains/{domain_id}/config/{group}/{option}
HEAD
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types:
system
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
identity:get_security_compliance_domain_config
- Default:
<empty string>
- Operations:
GET
/v3/domains/{domain_id}/config/security_compliance
HEAD
/v3/domains/{domain_id}/config/security_compliance
GET
/v3/domains/{domain_id}/config/security_compliance/{option}
HEAD
/v3/domains/{domain_id}/config/security_compliance/{option}
- Scope Types:
system
domain
project
Get security compliance domain configuration for either a domain or a specific option in a domain.
identity:update_domain_config
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/domains/{domain_id}/config
PATCH
/v3/domains/{domain_id}/config/{group}
PATCH
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types:
system
Update domain configuration for either a domain, specific group or a specific option in a group.
identity:delete_domain_config
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/domains/{domain_id}/config
DELETE
/v3/domains/{domain_id}/config/{group}
DELETE
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types:
system
Delete domain configuration for either a domain, specific group or a specific option in a group.
identity:get_domain_config_default
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/domains/config/default
HEAD
/v3/domains/config/default
GET
/v3/domains/config/{group}/default
HEAD
/v3/domains/config/{group}/default
GET
/v3/domains/config/{group}/{option}/default
HEAD
/v3/domains/config/{group}/{option}/default
- Scope Types:
system
Get domain configuration default for either a domain, specific group or a specific option in a group.
identity:ec2_get_credential
- Default:
(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
GET
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types:
system
project
Show ec2 credential details.
identity:ec2_list_credentials
- Default:
(role:reader and system_scope:all) or rule:owner
- Operations:
GET
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types:
system
project
List ec2 credentials.
identity:ec2_create_credential
- Default:
(role:admin and system_scope:all) or rule:owner
- Operations:
POST
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types:
system
project
Create ec2 credential.
identity:ec2_delete_credential
- Default:
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
DELETE
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types:
system
project
Delete ec2 credential.
identity:get_endpoint
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/endpoints/{endpoint_id}
- Scope Types:
system
Show endpoint details.
identity:list_endpoints
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/endpoints
- Scope Types:
system
List endpoints.
identity:create_endpoint
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/endpoints
- Scope Types:
system
Create endpoint.
identity:update_endpoint
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/endpoints/{endpoint_id}
- Scope Types:
system
Update endpoint.
identity:delete_endpoint
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/endpoints/{endpoint_id}
- Scope Types:
system
Delete endpoint.
identity:create_endpoint_group
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types:
system
Create endpoint group.
identity:list_endpoint_groups
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types:
system
List endpoint groups.
identity:get_endpoint_group
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types:
system
Get endpoint group.
identity:update_endpoint_group
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types:
system
Update endpoint group.
identity:delete_endpoint_group
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types:
system
Delete endpoint group.
identity:list_projects_associated_with_endpoint_group
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
- Scope Types:
system
List all projects associated with a specific endpoint group.
identity:list_endpoints_associated_with_endpoint_group
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
- Scope Types:
system
List all endpoints associated with an endpoint group.
identity:get_endpoint_group_in_project
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types:
system
Check if an endpoint group is associated with a project.
identity:list_endpoint_groups_for_project
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
- Scope Types:
system
List endpoint groups associated with a specific project.
identity:add_endpoint_group_to_project
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types:
system
Allow a project to access an endpoint group.
identity:remove_endpoint_group_from_project
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types:
system
Remove endpoint group from project.
identity:check_grant
- Default:
(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)
- Operations:
HEAD
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
GET
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
HEAD
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
GET
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
HEAD
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
GET
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
GET
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
HEAD
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types:
system
domain
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:list_grants
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)
- Operations:
GET
/v3/projects/{project_id}/users/{user_id}/roles
HEAD
/v3/projects/{project_id}/users/{user_id}/roles
GET
/v3/projects/{project_id}/groups/{group_id}/roles
HEAD
/v3/projects/{project_id}/groups/{group_id}/roles
GET
/v3/domains/{domain_id}/users/{user_id}/roles
HEAD
/v3/domains/{domain_id}/users/{user_id}/roles
GET
/v3/domains/{domain_id}/groups/{group_id}/roles
HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles
GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
- Scope Types:
system
domain
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
identity:create_grant
- Default:
(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)
- Operations:
PUT
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
PUT
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
PUT
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
PUT
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
PUT
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types:
system
domain
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:revoke_grant
- Default:
(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)
- Operations:
DELETE
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
DELETE
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
DELETE
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
DELETE
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
DELETE
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types:
system
domain
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
identity:list_system_grants_for_user
- Default:
role:reader and system_scope:all
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles
- Scope Types:
system
List all grants a specific user has on the system.
identity:check_system_grant_for_user
- Default:
role:reader and system_scope:all
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types:
system
Check if a user has a role on the system.
identity:create_system_grant_for_user
- Default:
role:admin and system_scope:all
- Operations:
[‘PUT’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types:
system
Grant a user a role on the system.
identity:revoke_system_grant_for_user
- Default:
role:admin and system_scope:all
- Operations:
[‘DELETE’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types:
system
Remove a role from a user on the system.
identity:list_system_grants_for_group
- Default:
role:reader and system_scope:all
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles
- Scope Types:
system
List all grants a specific group has on the system.
identity:check_system_grant_for_group
- Default:
role:reader and system_scope:all
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types:
system
Check if a group has a role on the system.
identity:create_system_grant_for_group
- Default:
role:admin and system_scope:all
- Operations:
[‘PUT’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types:
system
Grant a group a role on the system.
identity:revoke_system_grant_for_group
- Default:
role:admin and system_scope:all
- Operations:
[‘DELETE’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types:
system
Remove a role from a group on the system.
identity:get_group
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations:
GET
/v3/groups/{group_id}
HEAD
/v3/groups/{group_id}
- Scope Types:
system
domain
Show group details.
identity:list_groups
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations:
GET
/v3/groups
HEAD
/v3/groups
- Scope Types:
system
domain
List groups.
identity:list_groups_for_user
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s
- Operations:
GET
/v3/users/{user_id}/groups
HEAD
/v3/users/{user_id}/groups
- Scope Types:
system
domain
project
List groups to which a user belongs.
identity:create_group
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
- Operations:
POST
/v3/groups
- Scope Types:
system
domain
Create group.
identity:update_group
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
- Operations:
PATCH
/v3/groups/{group_id}
- Scope Types:
system
domain
Update group.
identity:delete_group
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
- Operations:
DELETE
/v3/groups/{group_id}
- Scope Types:
system
domain
Delete group.
identity:list_users_in_group
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations:
GET
/v3/groups/{group_id}/users
HEAD
/v3/groups/{group_id}/users
- Scope Types:
system
domain
List members of a specific group.
identity:remove_user_from_group
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations:
DELETE
/v3/groups/{group_id}/users/{user_id}
- Scope Types:
system
domain
Remove user from group.
identity:check_user_in_group
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations:
HEAD
/v3/groups/{group_id}/users/{user_id}
GET
/v3/groups/{group_id}/users/{user_id}
- Scope Types:
system
domain
Check whether a user is a member of a group.
identity:add_user_to_group
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations:
PUT
/v3/groups/{group_id}/users/{user_id}
- Scope Types:
system
domain
Add user to group.
identity:create_identity_provider
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
Create identity provider.
identity:list_identity_providers
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/identity_providers
HEAD
/v3/OS-FEDERATION/identity_providers
- Scope Types:
system
List identity providers.
identity:get_identity_provider
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}
HEAD
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
Get identity provider.
identity:update_identity_provider
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
Update identity provider.
identity:delete_identity_provider
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
Delete identity provider.
identity:get_implied_role
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:list_implied_roles
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/roles/{prior_role_id}/implies
HEAD
/v3/roles/{prior_role_id}/implies
- Scope Types:
system
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
identity:create_implied_role
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:delete_implied_role
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
identity:list_role_inference_rules
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/role_inferences
HEAD
/v3/role_inferences
- Scope Types:
system
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:check_implied_role
- Default:
role:reader and system_scope:all
- Operations:
HEAD
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:get_limit_model
- Default:
<empty string>
- Operations:
GET
/v3/limits/model
HEAD
/v3/limits/model
- Scope Types:
system
domain
project
Get limit enforcement model.
identity:get_limit
- Default:
(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)
- Operations:
GET
/v3/limits/{limit_id}
HEAD
/v3/limits/{limit_id}
- Scope Types:
system
domain
project
Show limit details.
identity:list_limits
- Default:
<empty string>
- Operations:
GET
/v3/limits
HEAD
/v3/limits
- Scope Types:
system
domain
project
List limits.
identity:create_limits
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/limits
- Scope Types:
system
Create limits.
identity:update_limit
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/limits/{limit_id}
- Scope Types:
system
Update limit.
identity:delete_limit
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/limits/{limit_id}
- Scope Types:
system
Delete limit.
identity:create_mapping
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
Create a new federated mapping containing one or more sets of rules.
identity:get_mapping
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/mappings/{mapping_id}
HEAD
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
Get a federated mapping.
identity:list_mappings
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/mappings
HEAD
/v3/OS-FEDERATION/mappings
- Scope Types:
system
List federated mappings.
identity:delete_mapping
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
Delete a federated mapping.
identity:update_mapping
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
Update a federated mapping.
identity:get_policy
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/policies/{policy_id}
- Scope Types:
system
Show policy details.
identity:list_policies
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/policies
- Scope Types:
system
List policies.
identity:create_policy
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/policies
- Scope Types:
system
Create policy.
identity:update_policy
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/policies/{policy_id}
- Scope Types:
system
Update policy.
identity:delete_policy
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/policies/{policy_id}
- Scope Types:
system
Delete policy.
identity:create_policy_association_for_endpoint
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types:
system
Associate a policy to a specific endpoint.
identity:check_policy_association_for_endpoint
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types:
system
Check policy association for endpoint.
identity:delete_policy_association_for_endpoint
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types:
system
Delete policy association for endpoint.
identity:create_policy_association_for_service
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types:
system
Associate a policy to a specific service.
identity:check_policy_association_for_service
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types:
system
Check policy association for service.
identity:delete_policy_association_for_service
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types:
system
Delete policy association for service.
identity:create_policy_association_for_region_and_service
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types:
system
Associate a policy to a specific region and service combination.
identity:check_policy_association_for_region_and_service
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types:
system
Check policy association for region and service.
identity:delete_policy_association_for_region_and_service
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types:
system
Delete policy association for region and service.
identity:get_policy_for_endpoint
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
HEAD
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
- Scope Types:
system
Get policy for endpoint.
identity:list_endpoints_for_policy
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
- Scope Types:
system
List endpoints for policy.
identity:get_project
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations:
GET
/v3/projects/{project_id}
- Scope Types:
system
domain
project
Show project details.
identity:list_projects
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/projects
- Scope Types:
system
domain
List projects.
identity:list_user_projects
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}/projects
- Scope Types:
system
domain
project
List projects for user.
identity:create_project
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
- Operations:
POST
/v3/projects
- Scope Types:
system
domain
Create project.
identity:update_project
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
- Operations:
PATCH
/v3/projects/{project_id}
- Scope Types:
system
domain
Update project.
identity:delete_project
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
- Operations:
DELETE
/v3/projects/{project_id}
- Scope Types:
system
domain
Delete project.
identity:list_project_tags
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations:
GET
/v3/projects/{project_id}/tags
HEAD
/v3/projects/{project_id}/tags
- Scope Types:
system
domain
project
List tags for a project.
identity:get_project_tag
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations:
GET
/v3/projects/{project_id}/tags/{value}
HEAD
/v3/projects/{project_id}/tags/{value}
- Scope Types:
system
domain
project
Check if project contains a tag.
identity:update_project_tags
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations:
PUT
/v3/projects/{project_id}/tags
- Scope Types:
system
domain
project
Replace all tags on a project with the new set of tags.
identity:create_project_tag
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations:
PUT
/v3/projects/{project_id}/tags/{value}
- Scope Types:
system
domain
project
Add a single tag to a project.
identity:delete_project_tags
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations:
DELETE
/v3/projects/{project_id}/tags
- Scope Types:
system
domain
project
Remove all tags from a project.
identity:delete_project_tag
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations:
DELETE
/v3/projects/{project_id}/tags/{value}
- Scope Types:
system
domain
project
Delete a specified tag from project.
identity:list_projects_for_endpoint
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
- Scope Types:
system
List projects allowed to access an endpoint.
identity:add_endpoint_to_project
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types:
system
Allow project to access an endpoint.
identity:check_endpoint_in_project
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
HEAD
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types:
system
Check if a project is allowed to access an endpoint.
identity:list_endpoints_for_project
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints
- Scope Types:
system
List the endpoints a project is allowed to access.
identity:remove_endpoint_from_project
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types:
system
Remove access to an endpoint from a project that has previously been given explicit access.
identity:create_protocol
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
Create federated protocol.
identity:update_protocol
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
Update federated protocol.
identity:get_protocol
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
Get federated protocol.
identity:list_protocols
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
- Scope Types:
system
List federated protocols.
identity:delete_protocol
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
Delete federated protocol.
identity:get_region
- Default:
<empty string>
- Operations:
GET
/v3/regions/{region_id}
HEAD
/v3/regions/{region_id}
- Scope Types:
system
domain
project
Show region details.
identity:list_regions
- Default:
<empty string>
- Operations:
GET
/v3/regions
HEAD
/v3/regions
- Scope Types:
system
domain
project
List regions.
identity:create_region
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/regions
PUT
/v3/regions/{region_id}
- Scope Types:
system
Create region.
identity:update_region
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/regions/{region_id}
- Scope Types:
system
Update region.
identity:delete_region
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/regions/{region_id}
- Scope Types:
system
Delete region.
identity:get_registered_limit
- Default:
<empty string>
- Operations:
GET
/v3/registered_limits/{registered_limit_id}
HEAD
/v3/registered_limits/{registered_limit_id}
- Scope Types:
system
domain
project
Show registered limit details.
identity:list_registered_limits
- Default:
<empty string>
- Operations:
GET
/v3/registered_limits
HEAD
/v3/registered_limits
- Scope Types:
system
domain
project
List registered limits.
identity:create_registered_limits
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/registered_limits
- Scope Types:
system
Create registered limits.
identity:update_registered_limit
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/registered_limits/{registered_limit_id}
- Scope Types:
system
Update registered limit.
identity:delete_registered_limit
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/registered_limits/{registered_limit_id}
- Scope Types:
system
Delete registered limit.
identity:list_revoke_events
- Default:
rule:service_or_admin
- Operations:
GET
/v3/OS-REVOKE/events
- Scope Types:
system
List revocation events.
identity:get_role
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/roles/{role_id}
HEAD
/v3/roles/{role_id}
- Scope Types:
system
Show role details.
identity:list_roles
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/roles
HEAD
/v3/roles
- Scope Types:
system
List roles.
identity:create_role
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/roles
- Scope Types:
system
Create role.
identity:update_role
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/roles/{role_id}
- Scope Types:
system
Update role.
identity:delete_role
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/roles/{role_id}
- Scope Types:
system
Delete role.
identity:get_domain_role
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/roles/{role_id}
HEAD
/v3/roles/{role_id}
- Scope Types:
system
Show domain role.
identity:list_domain_roles
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/roles?domain_id={domain_id}
HEAD
/v3/roles?domain_id={domain_id}
- Scope Types:
system
List domain roles.
identity:create_domain_role
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/roles
- Scope Types:
system
Create domain role.
identity:update_domain_role
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/roles/{role_id}
- Scope Types:
system
Update domain role.
identity:delete_domain_role
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/roles/{role_id}
- Scope Types:
system
Delete domain role.
identity:list_role_assignments
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/role_assignments
HEAD
/v3/role_assignments
- Scope Types:
system
domain
List role assignments.
identity:list_role_assignments_for_tree
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations:
GET
/v3/role_assignments?include_subtree
HEAD
/v3/role_assignments?include_subtree
- Scope Types:
system
domain
project
List all role assignments for a given tree of hierarchical projects.
identity:get_service
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/services/{service_id}
- Scope Types:
system
Show service details.
identity:list_services
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/services
- Scope Types:
system
List services.
identity:create_service
- Default:
role:admin and system_scope:all
- Operations:
POST
/v3/services
- Scope Types:
system
Create service.
identity:update_service
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/services/{service_id}
- Scope Types:
system
Update service.
identity:delete_service
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/services/{service_id}
- Scope Types:
system
Delete service.
identity:create_service_provider
- Default:
role:admin and system_scope:all
- Operations:
PUT
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
Create federated service provider.
identity:list_service_providers
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/service_providers
HEAD
/v3/OS-FEDERATION/service_providers
- Scope Types:
system
List federated service providers.
identity:get_service_provider
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-FEDERATION/service_providers/{service_provider_id}
HEAD
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
Get federated service provider.
identity:update_service_provider
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
Update federated service provider.
identity:delete_service_provider
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
Delete federated service provider.
identity:revocation_list
- Default:
rule:service_or_admin
- Operations:
GET
/v3/auth/tokens/OS-PKI/revoked
- Scope Types:
system
project
List revoked PKI tokens.
identity:check_token
- Default:
(role:reader and system_scope:all) or rule:token_subject
- Operations:
HEAD
/v3/auth/tokens
- Scope Types:
system
domain
project
Check a token.
identity:validate_token
- Default:
(role:reader and system_scope:all) or rule:service_role or rule:token_subject
- Operations:
GET
/v3/auth/tokens
- Scope Types:
system
domain
project
Validate a token.
identity:revoke_token
- Default:
(role:admin and system_scope:all) or rule:token_subject
- Operations:
DELETE
/v3/auth/tokens
- Scope Types:
system
domain
project
Revoke a token.
identity:create_trust
- Default:
user_id:%(trust.trustor_user_id)s
- Operations:
POST
/v3/OS-TRUST/trusts
- Scope Types:
project
Create trust.
identity:list_trusts
- Default:
role:reader and system_scope:all
- Operations:
GET
/v3/OS-TRUST/trusts
HEAD
/v3/OS-TRUST/trusts
- Scope Types:
system
List trusts.
identity:list_trusts_for_trustor
- Default:
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
- Operations:
GET
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
HEAD
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
- Scope Types:
system
project
List trusts for trustor.
identity:list_trusts_for_trustee
- Default:
role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s
- Operations:
GET
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
HEAD
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
- Scope Types:
system
project
List trusts for trustee.
identity:list_roles_for_trust
- Default:
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
- Operations:
GET
/v3/OS-TRUST/trusts/{trust_id}/roles
HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles
- Scope Types:
system
project
List roles delegated by a trust.
identity:get_role_for_trust
- Default:
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
- Operations:
GET
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
- Scope Types:
system
project
Check if trust delegates a particular role.
identity:delete_trust
- Default:
role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s
- Operations:
DELETE
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types:
system
project
Revoke trust.
identity:get_trust
- Default:
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
- Operations:
GET
/v3/OS-TRUST/trusts/{trust_id}
HEAD
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types:
system
project
Get trust.
identity:get_user
- Default:
(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}
HEAD
/v3/users/{user_id}
- Scope Types:
system
domain
project
Show user details.
identity:list_users
- Default:
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/users
HEAD
/v3/users
- Scope Types:
system
domain
List users.
identity:list_projects_for_user
- Default:
<empty string>
- Operations:
GET `` /v3/auth/projects``
List all projects a user has access to via role assignments.
identity:list_domains_for_user
- Default:
<empty string>
- Operations:
GET
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:create_user
- Default:
(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
- Operations:
POST
/v3/users
- Scope Types:
system
domain
Create a user.
identity:update_user
- Default:
(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
- Operations:
PATCH
/v3/users/{user_id}
- Scope Types:
system
domain
Update a user, including administrative password resets.
identity:delete_user
- Default:
(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
- Operations:
DELETE
/v3/users/{user_id}
- Scope Types:
system
domain
Delete a user.