policy.yaml

policy.yaml

Use the policy.yaml file to define additional access controls that apply to the Identity service:

#
#"admin_required": "role:admin or is_admin:1"

#
#"service_role": "role:service"

#
#"service_or_admin": "rule:admin_required or rule:service_role"

#
#"owner": "user_id:%(user_id)s"

#
#"admin_or_owner": "rule:admin_required or rule:owner"

#
#"token_subject": "user_id:%(target.token.user_id)s"

#
#"admin_or_token_subject": "rule:admin_required or rule:token_subject"

#
#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"

# Show application credential details.
# GET  /v3/users/{user_id}/application_credentials/{application_credential_id}
# HEAD  /v3/users/{user_id}/application_credentials/{application_credential_id}
#"identity:get_application_credential": "rule:admin_or_owner"

# List application credentials for a user.
# GET  /v3/users/{user_id}/application_credentials
# HEAD  /v3/users/{user_id}/application_credentials
#"identity:list_application_credentials": "rule:admin_or_owner"

# Create an application credential.
# POST  /v3/users/{user_id}/application_credentials
#"identity:create_application_credential": "rule:admin_or_owner"

# Delete an application credential.
# DELETE  /v3/users/{user_id}/application_credentials/{application_credential_id}
#"identity:delete_application_credential": "rule:admin_or_owner"

# Authorize OAUTH1 request token.
# PUT  /v3/OS-OAUTH1/authorize/{request_token_id}
# Intended scope(s): project
#"identity:authorize_request_token": "rule:admin_required"

# Get OAUTH1 access token for user by access token ID.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:get_access_token": "rule:admin_required"

# Get role for user OAUTH1 access token.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_access_token_role": "rule:admin_required"

# List OAUTH1 access tokens for user.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens
# Intended scope(s): project
#"identity:list_access_tokens": "rule:admin_required"

# List OAUTH1 access token roles.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
# Intended scope(s): project
#"identity:list_access_token_roles": "rule:admin_required"

# Delete OAUTH1 access token.
# DELETE  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:delete_access_token": "rule:admin_required"

# Get service catalog.
# GET  /v3/auth/catalog
# HEAD  /v3/auth/catalog
#"identity:get_auth_catalog": ""

# List all projects a user has access to via role assignments.
# GET  /v3/auth/projects
# HEAD  /v3/auth/projects
#"identity:get_auth_projects": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
# HEAD  /v3/auth/domains
#"identity:get_auth_domains": ""

# List systems a user has access to via role assignments.
# GET  /v3/auth/system
# HEAD  /v3/auth/system
#"identity:get_auth_system": ""

# Show OAUTH1 consumer details.
# GET  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:get_consumer": "rule:admin_required"

# List OAUTH1 consumers.
# GET  /v3/OS-OAUTH1/consumers
# Intended scope(s): system
#"identity:list_consumers": "rule:admin_required"

# Create OAUTH1 consumer.
# POST  /v3/OS-OAUTH1/consumers
# Intended scope(s): system
#"identity:create_consumer": "rule:admin_required"

# Update OAUTH1 consumer.
# PATCH  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:update_consumer": "rule:admin_required"

# Delete OAUTH1 consumer.
# DELETE  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:delete_consumer": "rule:admin_required"

# Show credentials details.
# GET  /v3/credentials/{credential_id}
#"identity:get_credential": "rule:admin_required"

# List credentials.
# GET  /v3/credentials
#"identity:list_credentials": "rule:admin_required"

# Create credential.
# POST  /v3/credentials
#"identity:create_credential": "rule:admin_required"

# Update credential.
# PATCH  /v3/credentials/{credential_id}
#"identity:update_credential": "rule:admin_required"

# Delete credential.
# DELETE  /v3/credentials/{credential_id}
#"identity:delete_credential": "rule:admin_required"

# Show domain details.
# GET  /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"

# List domains.
# GET  /v3/domains
# Intended scope(s): system
#"identity:list_domains": "rule:admin_required"

# Create domain.
# POST  /v3/domains
# Intended scope(s): system
#"identity:create_domain": "rule:admin_required"

# Update domain.
# PATCH  /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:update_domain": "rule:admin_required"

# Delete domain.
# DELETE  /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:delete_domain": "rule:admin_required"

# Create domain configuration.
# PUT  /v3/domains/{domain_id}/config
# Intended scope(s): system
#"identity:create_domain_config": "rule:admin_required"

# Get the entire domain configuration for a domain, an option group
# within a domain, or a specific configuration option within a group
# for a domain.
# GET  /v3/domains/{domain_id}/config
# HEAD  /v3/domains/{domain_id}/config
# GET  /v3/domains/{domain_id}/config/{group}
# HEAD  /v3/domains/{domain_id}/config/{group}
# GET  /v3/domains/{domain_id}/config/{group}/{option}
# HEAD  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:get_domain_config": "rule:admin_required"

# Get security compliance domain configuration for either a domain or
# a specific option in a domain.
# GET  /v3/domains/{domain_id}/config/security_compliance
# HEAD  /v3/domains/{domain_id}/config/security_compliance
# GET  v3/domains/{domain_id}/config/security_compliance/{option}
# HEAD  v3/domains/{domain_id}/config/security_compliance/{option}
# Intended scope(s): system, project
#"identity:get_security_compliance_domain_config": ""

# Update domain configuration for either a domain, specific group or a
# specific option in a group.
# PATCH  /v3/domains/{domain_id}/config
# PATCH  /v3/domains/{domain_id}/config/{group}
# PATCH  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:update_domain_config": "rule:admin_required"

# Delete domain configuration for either a domain, specific group or a
# specific option in a group.
# DELETE  /v3/domains/{domain_id}/config
# DELETE  /v3/domains/{domain_id}/config/{group}
# DELETE  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:delete_domain_config": "rule:admin_required"

# Get domain configuration default for either a domain, specific group
# or a specific option in a group.
# GET  /v3/domains/config/default
# HEAD  /v3/domains/config/default
# GET  /v3/domains/config/{group}/default
# HEAD  /v3/domains/config/{group}/default
# GET  /v3/domains/config/{group}/{option}/default
# HEAD  /v3/domains/config/{group}/{option}/default
# Intended scope(s): system
#"identity:get_domain_config_default": "rule:admin_required"

# Show ec2 credential details.
# GET  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"

# List ec2 credentials.
# GET  /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_list_credentials": "rule:admin_or_owner"

# Create ec2 credential.
# POST  /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_create_credential": "rule:admin_or_owner"

# Delete ec2 credential.
# DELETE  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"

# Show endpoint details.
# GET  /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:get_endpoint": "rule:admin_required"

# List endpoints.
# GET  /v3/endpoints
# Intended scope(s): system
#"identity:list_endpoints": "rule:admin_required"

# Create endpoint.
# POST  /v3/endpoints
# Intended scope(s): system
#"identity:create_endpoint": "rule:admin_required"

# Update endpoint.
# PATCH  /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:update_endpoint": "rule:admin_required"

# Delete endpoint.
# DELETE  /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:delete_endpoint": "rule:admin_required"

# Create endpoint group.
# POST  /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system
#"identity:create_endpoint_group": "rule:admin_required"

# List endpoint groups.
# GET  /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system
#"identity:list_endpoint_groups": "rule:admin_required"

# Get endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:get_endpoint_group": "rule:admin_required"

# Update endpoint group.
# PATCH  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:update_endpoint_group": "rule:admin_required"

# Delete endpoint group.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:delete_endpoint_group": "rule:admin_required"

# List all projects associated with a specific endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
# Intended scope(s): system
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required"

# List all endpoints associated with an endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
# Intended scope(s): system
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"

# Check if an endpoint group is associated with a project.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:get_endpoint_group_in_project": "rule:admin_required"

# List endpoint groups associated with a specific project.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
# Intended scope(s): system
#"identity:list_endpoint_groups_for_project": "rule:admin_required"

# Allow a project to access an endpoint group.
# PUT  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:add_endpoint_group_to_project": "rule:admin_required"

# Remove endpoint group from project.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:remove_endpoint_group_from_project": "rule:admin_required"

# Check a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# HEAD  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# GET  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# HEAD  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# GET  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# HEAD  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# GET  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# HEAD  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# GET  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# HEAD  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:check_grant": "rule:admin_required"

# List roles granted to an actor on a target. A target can be either a
# domain or a project. An actor can be either a user or a group. For
# the OS-INHERIT APIs, it is possible to list inherited role grants
# for actors on domains, where grants are inherited to all projects in
# the specified domain.
# GET  /v3/projects/{project_id}/users/{user_id}/roles
# HEAD  /v3/projects/{project_id}/users/{user_id}/roles
# GET  /v3/projects/{project_id}/groups/{group_id}/roles
# HEAD  /v3/projects/{project_id}/groups/{group_id}/roles
# GET  /v3/domains/{domain_id}/users/{user_id}/roles
# HEAD  /v3/domains/{domain_id}/users/{user_id}/roles
# GET  /v3/domains/{domain_id}/groups/{group_id}/roles
# HEAD  /v3/domains/{domain_id}/groups/{group_id}/roles
# GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
# Intended scope(s): system
#"identity:list_grants": "rule:admin_required"

# Create a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# PUT  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# PUT  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# PUT  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# PUT  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# PUT  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:create_grant": "rule:admin_required"

# Revoke a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable. In that case, revoking the role grant in the target
# would remove the logical effect of inheriting it to the target's
# projects subtree.
# DELETE  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# DELETE  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# DELETE  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# DELETE  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# DELETE  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:revoke_grant": "rule:admin_required"

# List all grants a specific user has on the system.
# ['HEAD', 'GET']  /v3/system/users/{user_id}/roles
# Intended scope(s): system
#"identity:list_system_grants_for_user": "rule:admin_required"

# Check if a user has a role on the system.
# ['HEAD', 'GET']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:check_system_grant_for_user": "rule:admin_required"

# Grant a user a role on the system.
# ['PUT']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:create_system_grant_for_user": "rule:admin_required"

# Remove a role from a user on the system.
# ['DELETE']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:revoke_system_grant_for_user": "rule:admin_required"

# List all grants a specific group has on the system.
# ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles
# Intended scope(s): system
#"identity:list_system_grants_for_group": "rule:admin_required"

# Check if a group has a role on the system.
# ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:check_system_grant_for_group": "rule:admin_required"

# Grant a group a role on the system.
# ['PUT']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:create_system_grant_for_group": "rule:admin_required"

# Remove a role from a group on the system.
# ['DELETE']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:revoke_system_grant_for_group": "rule:admin_required"

# Show group details.
# GET  /v3/groups/{group_id}
# HEAD  /v3/groups/{group_id}
# Intended scope(s): system
#"identity:get_group": "rule:admin_required"

# List groups.
# GET  /v3/groups
# HEAD  /v3/groups
# Intended scope(s): system
#"identity:list_groups": "rule:admin_required"

# List groups to which a user belongs.
# GET  /v3/users/{user_id}/groups
# HEAD  /v3/users/{user_id}/groups
# Intended scope(s): system
#"identity:list_groups_for_user": "rule:admin_or_owner"

# Create group.
# POST  /v3/groups
# Intended scope(s): system
#"identity:create_group": "rule:admin_required"

# Update group.
# PATCH  /v3/groups/{group_id}
# Intended scope(s): system
#"identity:update_group": "rule:admin_required"

# Delete group.
# DELETE  /v3/groups/{group_id}
# Intended scope(s): system
#"identity:delete_group": "rule:admin_required"

# List members of a specific group.
# GET  /v3/groups/{group_id}/users
# HEAD  /v3/groups/{group_id}/users
# Intended scope(s): system
#"identity:list_users_in_group": "rule:admin_required"

# Remove user from group.
# DELETE  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system
#"identity:remove_user_from_group": "rule:admin_required"

# Check whether a user is a member of a group.
# HEAD  /v3/groups/{group_id}/users/{user_id}
# GET  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system
#"identity:check_user_in_group": "rule:admin_required"

# Add user to group.
# PUT  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system
#"identity:add_user_to_group": "rule:admin_required"

# Create identity provider.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:create_identity_provider": "rule:admin_required"

# List identity providers.
# GET  /v3/OS-FEDERATION/identity_providers
# HEAD  /v3/OS-FEDERATION/identity_providers
# Intended scope(s): system
#"identity:list_identity_providers": "rule:admin_required"

# Get identity provider.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}
# HEAD  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:get_identity_provider": "rule:admin_required"

# Update identity provider.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:update_identity_provider": "rule:admin_required"

# Delete identity provider.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:delete_identity_provider": "rule:admin_required"

# Get information about an association between two roles. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:get_implied_role": "rule:admin_required"

# List associations between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. This
# will return all the implied roles that would be assumed by the user
# who gets the specified prior role.
# GET  /v3/roles/{prior_role_id}/implies
# HEAD  /v3/roles/{prior_role_id}/implies
# Intended scope(s): system
#"identity:list_implied_roles": "rule:admin_required"

# Create an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# PUT  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:create_implied_role": "rule:admin_required"

# Delete the association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. Removing
# the association will cause that effect to be eliminated.
# DELETE  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:delete_implied_role": "rule:admin_required"

# List all associations between two roles in the system. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET  /v3/role_inferences
# HEAD  /v3/role_inferences
# Intended scope(s): system
#"identity:list_role_inference_rules": "rule:admin_required"

# Check an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# HEAD  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:check_implied_role": "rule:admin_required"

# Get limit enforcement model.
# GET  /v3/limits/model
# HEAD  /v3/limits/model
# Intended scope(s): system, project
#"identity:get_limit_model": ""

# Show limit details.
# GET  /v3/limits/{limit_id}
# HEAD  /v3/limits/{limit_id}
# Intended scope(s): system, project
#"identity:get_limit": ""

# List limits.
# GET  /v3/limits
# HEAD  /v3/limits
# Intended scope(s): system, project
#"identity:list_limits": ""

# Create limits.
# POST  /v3/limits
# Intended scope(s): system
#"identity:create_limits": "rule:admin_required"

# Update limit.
# PATCH  /v3/limits/{limit_id}
# Intended scope(s): system
#"identity:update_limit": "rule:admin_required"

# Delete limit.
# DELETE  /v3/limits/{limit_id}
# Intended scope(s): system
#"identity:delete_limit": "rule:admin_required"

# Create a new federated mapping containing one or more sets of rules.
# PUT  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:create_mapping": "rule:admin_required"

# Get a federated mapping.
# GET  /v3/OS-FEDERATION/mappings/{mapping_id}
# HEAD  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:get_mapping": "rule:admin_required"

# List federated mappings.
# GET  /v3/OS-FEDERATION/mappings
# HEAD  /v3/OS-FEDERATION/mappings
# Intended scope(s): system
#"identity:list_mappings": "rule:admin_required"

# Delete a federated mapping.
# DELETE  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:delete_mapping": "rule:admin_required"

# Update a federated mapping.
# PATCH  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:update_mapping": "rule:admin_required"

# Show policy details.
# GET  /v3/policy/{policy_id}
# Intended scope(s): system
#"identity:get_policy": "rule:admin_required"

# List policies.
# GET  /v3/policies
# Intended scope(s): system
#"identity:list_policies": "rule:admin_required"

# Create policy.
# POST  /v3/policies
# Intended scope(s): system
#"identity:create_policy": "rule:admin_required"

# Update policy.
# PATCH  /v3/policies/{policy_id}
# Intended scope(s): system
#"identity:update_policy": "rule:admin_required"

# Delete policy.
# DELETE  /v3/policies/{policy_id}
# Intended scope(s): system
#"identity:delete_policy": "rule:admin_required"

# Associate a policy to a specific endpoint.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:create_policy_association_for_endpoint": "rule:admin_required"

# Check policy association for endpoint.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:check_policy_association_for_endpoint": "rule:admin_required"

# Delete policy association for endpoint.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"

# Associate a policy to a specific service.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:create_policy_association_for_service": "rule:admin_required"

# Check policy association for service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:check_policy_association_for_service": "rule:admin_required"

# Delete policy association for service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_service": "rule:admin_required"

# Associate a policy to a specific region and service combination.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"

# Check policy association for region and service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:check_policy_association_for_region_and_service": "rule:admin_required"

# Delete policy association for region and service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"

# Get policy for endpoint.
# GET  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# HEAD  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# Intended scope(s): system
#"identity:get_policy_for_endpoint": "rule:admin_required"

# List endpoints for policy.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
# Intended scope(s): system
#"identity:list_endpoints_for_policy": "rule:admin_required"

# Show project details.
# GET  /v3/projects/{project_id}
#"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"

# List projects.
# GET  /v3/projects
# Intended scope(s): system
#"identity:list_projects": "rule:admin_required"

# List projects for user.
# GET  /v3/users/{user_id}/projects
#"identity:list_user_projects": "rule:admin_or_owner"

# Create project.
# POST  /v3/projects
# Intended scope(s): system
#"identity:create_project": "rule:admin_required"

# Update project.
# PATCH  /v3/projects/{project_id}
# Intended scope(s): system
#"identity:update_project": "rule:admin_required"

# Delete project.
# DELETE  /v3/projects/{project_id}
# Intended scope(s): system
#"identity:delete_project": "rule:admin_required"

# List tags for a project.
# GET  /v3/projects/{project_id}/tags
# HEAD  /v3/projects/{project_id}/tags
#"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s"

# Check if project contains a tag.
# GET  /v3/projects/{project_id}/tags/{value}
# HEAD  /v3/projects/{project_id}/tags/{value}
#"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s"

# Replace all tags on a project with the new set of tags.
# PUT  /v3/projects/{project_id}/tags
# Intended scope(s): system
#"identity:update_project_tags": "rule:admin_required"

# Add a single tag to a project.
# PUT  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system
#"identity:create_project_tag": "rule:admin_required"

# Remove all tags from a project.
# DELETE  /v3/projects/{project_id}/tags
# Intended scope(s): system
#"identity:delete_project_tags": "rule:admin_required"

# Delete a specified tag from project.
# DELETE  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system
#"identity:delete_project_tag": "rule:admin_required"

# List projects allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
# Intended scope(s): system
#"identity:list_projects_for_endpoint": "rule:admin_required"

# Allow project to access an endpoint.
# PUT  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:add_endpoint_to_project": "rule:admin_required"

# Check if a project is allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# HEAD  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:check_endpoint_in_project": "rule:admin_required"

# List the endpoints a project is allowed to access.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints
# Intended scope(s): system
#"identity:list_endpoints_for_project": "rule:admin_required"

# Remove access to an endpoint from a project that has previously been
# given explicit access.
# DELETE  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:remove_endpoint_from_project": "rule:admin_required"

# Create federated protocol.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:create_protocol": "rule:admin_required"

# Update federated protocol.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:update_protocol": "rule:admin_required"

# Get federated protocol.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:get_protocol": "rule:admin_required"

# List federated protocols.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
# Intended scope(s): system
#"identity:list_protocols": "rule:admin_required"

# Delete federated protocol.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:delete_protocol": "rule:admin_required"

# Show region details.
# GET  /v3/regions/{region_id}
# HEAD  /v3/regions/{region_id}
# Intended scope(s): system, project
#"identity:get_region": ""

# List regions.
# GET  /v3/regions
# HEAD  /v3/regions
# Intended scope(s): system, project
#"identity:list_regions": ""

# Create region.
# POST  /v3/regions
# PUT  /v3/regions/{region_id}
# Intended scope(s): system
#"identity:create_region": "rule:admin_required"

# Update region.
# PATCH  /v3/regions/{region_id}
# Intended scope(s): system
#"identity:update_region": "rule:admin_required"

# Delete region.
# DELETE  /v3/regions/{region_id}
# Intended scope(s): system
#"identity:delete_region": "rule:admin_required"

# Show registered limit details.
# GET  /v3/registered_limits/{registered_limit_id}
# HEAD  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system, project
#"identity:get_registered_limit": ""

# List registered limits.
# GET  /v3/registered_limits
# HEAD  /v3/registered_limits
# Intended scope(s): system, project
#"identity:list_registered_limits": ""

# Create registered limits.
# POST  /v3/registered_limits
# Intended scope(s): system
#"identity:create_registered_limits": "rule:admin_required"

# Update registered limit.
# PATCH  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system
#"identity:update_registered_limit": "rule:admin_required"

# Delete registered limit.
# DELETE  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system
#"identity:delete_registered_limit": "rule:admin_required"

# List revocation events.
# GET  /v3/OS-REVOKE/events
# Intended scope(s): system
#"identity:list_revoke_events": "rule:service_or_admin"

# Show role details.
# GET  /v3/roles/{role_id}
# HEAD  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:get_role": "rule:admin_required"

# List roles.
# GET  /v3/roles
# HEAD  /v3/roles
# Intended scope(s): system
#"identity:list_roles": "rule:admin_required"

# Create role.
# POST  /v3/roles
# Intended scope(s): system
#"identity:create_role": "rule:admin_required"

# Update role.
# PATCH  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:update_role": "rule:admin_required"

# Delete role.
# DELETE  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:delete_role": "rule:admin_required"

# Show domain role.
# GET  /v3/roles/{role_id}
# HEAD  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:get_domain_role": "rule:admin_required"

# List domain roles.
# GET  /v3/roles?domain_id={domain_id}
# HEAD  /v3/roles?domain_id={domain_id}
# Intended scope(s): system
#"identity:list_domain_roles": "rule:admin_required"

# Create domain role.
# POST  /v3/roles
# Intended scope(s): system
#"identity:create_domain_role": "rule:admin_required"

# Update domain role.
# PATCH  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:update_domain_role": "rule:admin_required"

# Delete domain role.
# DELETE  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:delete_domain_role": "rule:admin_required"

# List role assignments.
# GET  /v3/role_assignments
# HEAD  /v3/role_assignments
# Intended scope(s): system
#"identity:list_role_assignments": "rule:admin_required"

# List all role assignments for a given tree of hierarchical projects.
# GET  /v3/role_assignments?include_subtree
# HEAD  /v3/role_assignments?include_subtree
# Intended scope(s): project
#"identity:list_role_assignments_for_tree": "rule:admin_required"

# Show service details.
# GET  /v3/services/{service_id}
# Intended scope(s): system
#"identity:get_service": "rule:admin_required"

# List services.
# GET  /v3/services
# Intended scope(s): system
#"identity:list_services": "rule:admin_required"

# Create service.
# POST  /v3/services
# Intended scope(s): system
#"identity:create_service": "rule:admin_required"

# Update service.
# PATCH  /v3/services/{service_id}
# Intended scope(s): system
#"identity:update_service": "rule:admin_required"

# Delete service.
# DELETE  /v3/services/{service_id}
# Intended scope(s): system
#"identity:delete_service": "rule:admin_required"

# Create federated service provider.
# PUT  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:create_service_provider": "rule:admin_required"

# List federated service providers.
# GET  /v3/OS-FEDERATION/service_providers
# HEAD  /v3/OS-FEDERATION/service_providers
# Intended scope(s): system
#"identity:list_service_providers": "rule:admin_required"

# Get federated service provider.
# GET  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# HEAD  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:get_service_provider": "rule:admin_required"

# Update federated service provider.
# PATCH  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:update_service_provider": "rule:admin_required"

# Delete federated service provider.
# DELETE  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:delete_service_provider": "rule:admin_required"

# List revoked PKI tokens.
# GET  /v3/auth/tokens/OS-PKI/revoked
# Intended scope(s): system, project
#"identity:revocation_list": "rule:service_or_admin"

# Check a token.
# HEAD  /v3/auth/tokens
#"identity:check_token": "rule:admin_or_token_subject"

# Validate a token.
# GET  /v3/auth/tokens
#"identity:validate_token": "rule:service_admin_or_token_subject"

# Revoke a token.
# DELETE  /v3/auth/tokens
#"identity:revoke_token": "rule:admin_or_token_subject"

# Create trust.
# POST  /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"

# List trusts.
# GET  /v3/OS-TRUST/trusts
# HEAD  /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:list_trusts": ""

# List roles delegated by a trust.
# GET  /v3/OS-TRUST/trusts/{trust_id}/roles
# HEAD  /v3/OS-TRUST/trusts/{trust_id}/roles
# Intended scope(s): project
#"identity:list_roles_for_trust": ""

# Check if trust delegates a particular role.
# GET  /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# HEAD  /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_role_for_trust": ""

# Revoke trust.
# DELETE  /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): project
#"identity:delete_trust": ""

# Get trust.
# GET  /v3/OS-TRUST/trusts/{trust_id}
# HEAD  /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): project
#"identity:get_trust": ""

# Show user details.
# GET  /v3/users/{user_id}
# HEAD  /v3/users/{user_id}
#"identity:get_user": "rule:admin_or_owner"

# List users.
# GET  /v3/users
# HEAD  /v3/users
# Intended scope(s): system
#"identity:list_users": "rule:admin_required"

# List all projects a user has access to via role assignments.
# GET   /v3/auth/projects
#"identity:list_projects_for_user": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
#"identity:list_domains_for_user": ""

# Create a user.
# POST  /v3/users
# Intended scope(s): system
#"identity:create_user": "rule:admin_required"

# Update a user, including administrative password resets.
# PATCH  /v3/users/{user_id}
# Intended scope(s): system
#"identity:update_user": "rule:admin_required"

# Delete a user.
# DELETE  /v3/users/{user_id}
# Intended scope(s): system
#"identity:delete_user": "rule:admin_required"

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.