Use the policy.yaml
file to define additional access controls that apply to
the Identity service:
#
#"admin_required": "role:admin or is_admin:1"
#
#"service_role": "role:service"
#
#"service_or_admin": "rule:admin_required or rule:service_role"
#
#"owner": "user_id:%(user_id)s"
#
#"admin_or_owner": "rule:admin_required or rule:owner"
#
#"token_subject": "user_id:%(target.token.user_id)s"
#
#"admin_or_token_subject": "rule:admin_required or rule:token_subject"
#
#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
# Show application credential details.
# GET /v3/users/{user_id}/application_credentials/{application_credential_id}
# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}
#"identity:get_application_credential": "rule:admin_or_owner"
# List application credentials for a user.
# GET /v3/users/{user_id}/application_credentials
# HEAD /v3/users/{user_id}/application_credentials
#"identity:list_application_credentials": "rule:admin_or_owner"
# Create an application credential.
# POST /v3/users/{user_id}/application_credentials
#"identity:create_application_credential": "rule:admin_or_owner"
# Delete an application credential.
# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}
#"identity:delete_application_credential": "rule:admin_or_owner"
# Authorize OAUTH1 request token.
# PUT /v3/OS-OAUTH1/authorize/{request_token_id}
# Intended scope(s): project
#"identity:authorize_request_token": "rule:admin_required"
# Get OAUTH1 access token for user by access token ID.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:get_access_token": "rule:admin_required"
# Get role for user OAUTH1 access token.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_access_token_role": "rule:admin_required"
# List OAUTH1 access tokens for user.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
# Intended scope(s): project
#"identity:list_access_tokens": "rule:admin_required"
# List OAUTH1 access token roles.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
# Intended scope(s): project
#"identity:list_access_token_roles": "rule:admin_required"
# Delete OAUTH1 access token.
# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:delete_access_token": "rule:admin_required"
# Get service catalog.
# GET /v3/auth/catalog
# HEAD /v3/auth/catalog
#"identity:get_auth_catalog": ""
# List all projects a user has access to via role assignments.
# GET /v3/auth/projects
# HEAD /v3/auth/projects
#"identity:get_auth_projects": ""
# List all domains a user has access to via role assignments.
# GET /v3/auth/domains
# HEAD /v3/auth/domains
#"identity:get_auth_domains": ""
# List systems a user has access to via role assignments.
# GET /v3/auth/system
# HEAD /v3/auth/system
#"identity:get_auth_system": ""
# Show OAUTH1 consumer details.
# GET /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:get_consumer": "rule:admin_required"
# List OAUTH1 consumers.
# GET /v3/OS-OAUTH1/consumers
# Intended scope(s): system
#"identity:list_consumers": "rule:admin_required"
# Create OAUTH1 consumer.
# POST /v3/OS-OAUTH1/consumers
# Intended scope(s): system
#"identity:create_consumer": "rule:admin_required"
# Update OAUTH1 consumer.
# PATCH /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:update_consumer": "rule:admin_required"
# Delete OAUTH1 consumer.
# DELETE /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:delete_consumer": "rule:admin_required"
# Show credentials details.
# GET /v3/credentials/{credential_id}
#"identity:get_credential": "rule:admin_required"
# List credentials.
# GET /v3/credentials
#"identity:list_credentials": "rule:admin_required"
# Create credential.
# POST /v3/credentials
#"identity:create_credential": "rule:admin_required"
# Update credential.
# PATCH /v3/credentials/{credential_id}
#"identity:update_credential": "rule:admin_required"
# Delete credential.
# DELETE /v3/credentials/{credential_id}
#"identity:delete_credential": "rule:admin_required"
# Show domain details.
# GET /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"
# List domains.
# GET /v3/domains
# Intended scope(s): system
#"identity:list_domains": "rule:admin_required"
# Create domain.
# POST /v3/domains
# Intended scope(s): system
#"identity:create_domain": "rule:admin_required"
# Update domain.
# PATCH /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:update_domain": "rule:admin_required"
# Delete domain.
# DELETE /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:delete_domain": "rule:admin_required"
# Create domain configuration.
# PUT /v3/domains/{domain_id}/config
# Intended scope(s): system
#"identity:create_domain_config": "rule:admin_required"
# Get the entire domain configuration for a domain, an option group
# within a domain, or a specific configuration option within a group
# for a domain.
# GET /v3/domains/{domain_id}/config
# HEAD /v3/domains/{domain_id}/config
# GET /v3/domains/{domain_id}/config/{group}
# HEAD /v3/domains/{domain_id}/config/{group}
# GET /v3/domains/{domain_id}/config/{group}/{option}
# HEAD /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:get_domain_config": "rule:admin_required"
# Get security compliance domain configuration for either a domain or
# a specific option in a domain.
# GET /v3/domains/{domain_id}/config/security_compliance
# HEAD /v3/domains/{domain_id}/config/security_compliance
# GET v3/domains/{domain_id}/config/security_compliance/{option}
# HEAD v3/domains/{domain_id}/config/security_compliance/{option}
# Intended scope(s): system, project
#"identity:get_security_compliance_domain_config": ""
# Update domain configuration for either a domain, specific group or a
# specific option in a group.
# PATCH /v3/domains/{domain_id}/config
# PATCH /v3/domains/{domain_id}/config/{group}
# PATCH /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:update_domain_config": "rule:admin_required"
# Delete domain configuration for either a domain, specific group or a
# specific option in a group.
# DELETE /v3/domains/{domain_id}/config
# DELETE /v3/domains/{domain_id}/config/{group}
# DELETE /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:delete_domain_config": "rule:admin_required"
# Get domain configuration default for either a domain, specific group
# or a specific option in a group.
# GET /v3/domains/config/default
# HEAD /v3/domains/config/default
# GET /v3/domains/config/{group}/default
# HEAD /v3/domains/config/{group}/default
# GET /v3/domains/config/{group}/{option}/default
# HEAD /v3/domains/config/{group}/{option}/default
# Intended scope(s): system
#"identity:get_domain_config_default": "rule:admin_required"
# Show ec2 credential details.
# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
# List ec2 credentials.
# GET /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_list_credentials": "rule:admin_or_owner"
# Create ec2 credential.
# POST /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_create_credential": "rule:admin_or_owner"
# Delete ec2 credential.
# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
# Show endpoint details.
# GET /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:get_endpoint": "rule:admin_required"
# List endpoints.
# GET /v3/endpoints
# Intended scope(s): system
#"identity:list_endpoints": "rule:admin_required"
# Create endpoint.
# POST /v3/endpoints
# Intended scope(s): system
#"identity:create_endpoint": "rule:admin_required"
# Update endpoint.
# PATCH /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:update_endpoint": "rule:admin_required"
# Delete endpoint.
# DELETE /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:delete_endpoint": "rule:admin_required"
# Create endpoint group.
# POST /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system
#"identity:create_endpoint_group": "rule:admin_required"
# List endpoint groups.
# GET /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system
#"identity:list_endpoint_groups": "rule:admin_required"
# Get endpoint group.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:get_endpoint_group": "rule:admin_required"
# Update endpoint group.
# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:update_endpoint_group": "rule:admin_required"
# Delete endpoint group.
# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:delete_endpoint_group": "rule:admin_required"
# List all projects associated with a specific endpoint group.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
# Intended scope(s): system
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required"
# List all endpoints associated with an endpoint group.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
# Intended scope(s): system
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"
# Check if an endpoint group is associated with a project.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:get_endpoint_group_in_project": "rule:admin_required"
# List endpoint groups associated with a specific project.
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
# Intended scope(s): system
#"identity:list_endpoint_groups_for_project": "rule:admin_required"
# Allow a project to access an endpoint group.
# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:add_endpoint_group_to_project": "rule:admin_required"
# Remove endpoint group from project.
# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:remove_endpoint_group_from_project": "rule:admin_required"
# Check a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:check_grant": "rule:admin_required"
# List roles granted to an actor on a target. A target can be either a
# domain or a project. An actor can be either a user or a group. For
# the OS-INHERIT APIs, it is possible to list inherited role grants
# for actors on domains, where grants are inherited to all projects in
# the specified domain.
# GET /v3/projects/{project_id}/users/{user_id}/roles
# HEAD /v3/projects/{project_id}/users/{user_id}/roles
# GET /v3/projects/{project_id}/groups/{group_id}/roles
# HEAD /v3/projects/{project_id}/groups/{group_id}/roles
# GET /v3/domains/{domain_id}/users/{user_id}/roles
# HEAD /v3/domains/{domain_id}/users/{user_id}/roles
# GET /v3/domains/{domain_id}/groups/{group_id}/roles
# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles
# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
# Intended scope(s): system
#"identity:list_grants": "rule:admin_required"
# Create a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:create_grant": "rule:admin_required"
# Revoke a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable. In that case, revoking the role grant in the target
# would remove the logical effect of inheriting it to the target's
# projects subtree.
# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:revoke_grant": "rule:admin_required"
# List all grants a specific user has on the system.
# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles
# Intended scope(s): system
#"identity:list_system_grants_for_user": "rule:admin_required"
# Check if a user has a role on the system.
# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:check_system_grant_for_user": "rule:admin_required"
# Grant a user a role on the system.
# ['PUT'] /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:create_system_grant_for_user": "rule:admin_required"
# Remove a role from a user on the system.
# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:revoke_system_grant_for_user": "rule:admin_required"
# List all grants a specific group has on the system.
# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles
# Intended scope(s): system
#"identity:list_system_grants_for_group": "rule:admin_required"
# Check if a group has a role on the system.
# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:check_system_grant_for_group": "rule:admin_required"
# Grant a group a role on the system.
# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:create_system_grant_for_group": "rule:admin_required"
# Remove a role from a group on the system.
# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:revoke_system_grant_for_group": "rule:admin_required"
# Show group details.
# GET /v3/groups/{group_id}
# HEAD /v3/groups/{group_id}
# Intended scope(s): system
#"identity:get_group": "rule:admin_required"
# List groups.
# GET /v3/groups
# HEAD /v3/groups
# Intended scope(s): system
#"identity:list_groups": "rule:admin_required"
# List groups to which a user belongs.
# GET /v3/users/{user_id}/groups
# HEAD /v3/users/{user_id}/groups
# Intended scope(s): system
#"identity:list_groups_for_user": "rule:admin_or_owner"
# Create group.
# POST /v3/groups
# Intended scope(s): system
#"identity:create_group": "rule:admin_required"
# Update group.
# PATCH /v3/groups/{group_id}
# Intended scope(s): system
#"identity:update_group": "rule:admin_required"
# Delete group.
# DELETE /v3/groups/{group_id}
# Intended scope(s): system
#"identity:delete_group": "rule:admin_required"
# List members of a specific group.
# GET /v3/groups/{group_id}/users
# HEAD /v3/groups/{group_id}/users
# Intended scope(s): system
#"identity:list_users_in_group": "rule:admin_required"
# Remove user from group.
# DELETE /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system
#"identity:remove_user_from_group": "rule:admin_required"
# Check whether a user is a member of a group.
# HEAD /v3/groups/{group_id}/users/{user_id}
# GET /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system
#"identity:check_user_in_group": "rule:admin_required"
# Add user to group.
# PUT /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system
#"identity:add_user_to_group": "rule:admin_required"
# Create identity provider.
# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:create_identity_provider": "rule:admin_required"
# List identity providers.
# GET /v3/OS-FEDERATION/identity_providers
# HEAD /v3/OS-FEDERATION/identity_providers
# Intended scope(s): system
#"identity:list_identity_providers": "rule:admin_required"
# Get identity provider.
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}
# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:get_identity_provider": "rule:admin_required"
# Update identity provider.
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:update_identity_provider": "rule:admin_required"
# Delete identity provider.
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:delete_identity_provider": "rule:admin_required"
# Get information about an association between two roles. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:get_implied_role": "rule:admin_required"
# List associations between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. This
# will return all the implied roles that would be assumed by the user
# who gets the specified prior role.
# GET /v3/roles/{prior_role_id}/implies
# HEAD /v3/roles/{prior_role_id}/implies
# Intended scope(s): system
#"identity:list_implied_roles": "rule:admin_required"
# Create an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:create_implied_role": "rule:admin_required"
# Delete the association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. Removing
# the association will cause that effect to be eliminated.
# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:delete_implied_role": "rule:admin_required"
# List all associations between two roles in the system. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET /v3/role_inferences
# HEAD /v3/role_inferences
# Intended scope(s): system
#"identity:list_role_inference_rules": "rule:admin_required"
# Check an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:check_implied_role": "rule:admin_required"
# Show limit details.
# GET /v3/limits/{limit_id}
# HEAD /v3/limits/{limit_id}
# Intended scope(s): system, project
#"identity:get_limit": ""
# List limits.
# GET /v3/limits
# HEAD /v3/limits
# Intended scope(s): system, project
#"identity:list_limits": ""
# Create limits.
# POST /v3/limits
# Intended scope(s): system
#"identity:create_limits": "rule:admin_required"
# Update limits.
# PUT /v3/limits/{limit_id}
# Intended scope(s): system
#"identity:update_limits": "rule:admin_required"
# Delete limit.
# DELETE /v3/limits/{limit_id}
# Intended scope(s): system
#"identity:delete_limit": "rule:admin_required"
# Create a new federated mapping containing one or more sets of rules.
# PUT /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:create_mapping": "rule:admin_required"
# Get a federated mapping.
# GET /v3/OS-FEDERATION/mappings/{mapping_id}
# HEAD /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:get_mapping": "rule:admin_required"
# List federated mappings.
# GET /v3/OS-FEDERATION/mappings
# HEAD /v3/OS-FEDERATION/mappings
# Intended scope(s): system
#"identity:list_mappings": "rule:admin_required"
# Delete a federated mapping.
# DELETE /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:delete_mapping": "rule:admin_required"
# Update a federated mapping.
# PATCH /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:update_mapping": "rule:admin_required"
# Show policy details.
# GET /v3/policy/{policy_id}
# Intended scope(s): system
#"identity:get_policy": "rule:admin_required"
# List policies.
# GET /v3/policies
# Intended scope(s): system
#"identity:list_policies": "rule:admin_required"
# Create policy.
# POST /v3/policies
# Intended scope(s): system
#"identity:create_policy": "rule:admin_required"
# Update policy.
# PATCH /v3/policies/{policy_id}
# Intended scope(s): system
#"identity:update_policy": "rule:admin_required"
# Delete policy.
# DELETE /v3/policies/{policy_id}
# Intended scope(s): system
#"identity:delete_policy": "rule:admin_required"
# Associate a policy to a specific endpoint.
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:create_policy_association_for_endpoint": "rule:admin_required"
# Check policy association for endpoint.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:check_policy_association_for_endpoint": "rule:admin_required"
# Delete policy association for endpoint.
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"
# Associate a policy to a specific service.
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:create_policy_association_for_service": "rule:admin_required"
# Check policy association for service.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:check_policy_association_for_service": "rule:admin_required"
# Delete policy association for service.
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_service": "rule:admin_required"
# Associate a policy to a specific region and service combination.
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"
# Check policy association for region and service.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:check_policy_association_for_region_and_service": "rule:admin_required"
# Delete policy association for region and service.
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"
# Get policy for endpoint.
# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# Intended scope(s): system
#"identity:get_policy_for_endpoint": "rule:admin_required"
# List endpoints for policy.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
# Intended scope(s): system
#"identity:list_endpoints_for_policy": "rule:admin_required"
# Show project details.
# GET /v3/projects/{project_id}
#"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"
# List projects.
# GET /v3/projects
# Intended scope(s): system
#"identity:list_projects": "rule:admin_required"
# List projects for user.
# GET /v3/users/{user_id}/projects
#"identity:list_user_projects": "rule:admin_or_owner"
# Create project.
# POST /v3/projects
# Intended scope(s): system
#"identity:create_project": "rule:admin_required"
# Update project.
# PATCH /v3/projects/{project_id}
# Intended scope(s): system
#"identity:update_project": "rule:admin_required"
# Delete project.
# DELETE /v3/projects/{project_id}
# Intended scope(s): system
#"identity:delete_project": "rule:admin_required"
# List tags for a project.
# GET /v3/projects/{project_id}/tags
# HEAD /v3/projects/{project_id}/tags
#"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s"
# Check if project contains a tag.
# GET /v3/projects/{project_id}/tags/{value}
# HEAD /v3/projects/{project_id}/tags/{value}
#"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s"
# Replace all tags on a project with the new set of tags.
# PUT /v3/projects/{project_id}/tags
# Intended scope(s): system
#"identity:update_project_tags": "rule:admin_required"
# Add a single tag to a project.
# PUT /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system
#"identity:create_project_tag": "rule:admin_required"
# Remove all tags from a project.
# DELETE /v3/projects/{project_id}/tags
# Intended scope(s): system
#"identity:delete_project_tags": "rule:admin_required"
# Delete a specified tag from project.
# DELETE /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system
#"identity:delete_project_tag": "rule:admin_required"
# List projects allowed to access an endpoint.
# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
# Intended scope(s): system
#"identity:list_projects_for_endpoint": "rule:admin_required"
# Allow project to access an endpoint.
# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:add_endpoint_to_project": "rule:admin_required"
# Check if a project is allowed to access an endpoint.
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:check_endpoint_in_project": "rule:admin_required"
# List the endpoints a project is allowed to access.
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints
# Intended scope(s): system
#"identity:list_endpoints_for_project": "rule:admin_required"
# Remove access to an endpoint from a project that has previously been
# given explicit access.
# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:remove_endpoint_from_project": "rule:admin_required"
# Create federated protocol.
# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:create_protocol": "rule:admin_required"
# Update federated protocol.
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:update_protocol": "rule:admin_required"
# Get federated protocol.
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:get_protocol": "rule:admin_required"
# List federated protocols.
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
# Intended scope(s): system
#"identity:list_protocols": "rule:admin_required"
# Delete federated protocol.
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:delete_protocol": "rule:admin_required"
# Show region details.
# GET /v3/regions/{region_id}
# HEAD /v3/regions/{region_id}
# Intended scope(s): system, project
#"identity:get_region": ""
# List regions.
# GET /v3/regions
# HEAD /v3/regions
# Intended scope(s): system, project
#"identity:list_regions": ""
# Create region.
# POST /v3/regions
# PUT /v3/regions/{region_id}
# Intended scope(s): system
#"identity:create_region": "rule:admin_required"
# Update region.
# PATCH /v3/regions/{region_id}
# Intended scope(s): system
#"identity:update_region": "rule:admin_required"
# Delete region.
# DELETE /v3/regions/{region_id}
# Intended scope(s): system
#"identity:delete_region": "rule:admin_required"
# Show registered limit details.
# GET /v3/registered_limits/{registered_limit_id}
# HEAD /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system, project
#"identity:get_registered_limit": ""
# List registered limits.
# GET /v3/registered_limits
# HEAD /v3/registered_limits
# Intended scope(s): system, project
#"identity:list_registered_limits": ""
# Create registered limits.
# POST /v3/registered_limits
# Intended scope(s): system
#"identity:create_registered_limits": "rule:admin_required"
# Update registered limits.
# PUT /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system
#"identity:update_registered_limits": "rule:admin_required"
# Delete registered limit.
# DELETE /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system
#"identity:delete_registered_limit": "rule:admin_required"
# List revocation events.
# GET /v3/OS-REVOKE/events
# Intended scope(s): system
#"identity:list_revoke_events": "rule:service_or_admin"
# Show role details.
# GET /v3/roles/{role_id}
# HEAD /v3/roles/{role_id}
# Intended scope(s): system
#"identity:get_role": "rule:admin_required"
# List roles.
# GET /v3/roles
# HEAD /v3/roles
# Intended scope(s): system
#"identity:list_roles": "rule:admin_required"
# Create role.
# POST /v3/roles
# Intended scope(s): system
#"identity:create_role": "rule:admin_required"
# Update role.
# PATCH /v3/roles/{role_id}
# Intended scope(s): system
#"identity:update_role": "rule:admin_required"
# Delete role.
# DELETE /v3/roles/{role_id}
# Intended scope(s): system
#"identity:delete_role": "rule:admin_required"
# Show domain role.
# GET /v3/roles/{role_id}
# HEAD /v3/roles/{role_id}
# Intended scope(s): system
#"identity:get_domain_role": "rule:admin_required"
# List domain roles.
# GET /v3/roles?domain_id={domain_id}
# HEAD /v3/roles?domain_id={domain_id}
# Intended scope(s): system
#"identity:list_domain_roles": "rule:admin_required"
# Create domain role.
# POST /v3/roles
# Intended scope(s): system
#"identity:create_domain_role": "rule:admin_required"
# Update domain role.
# PATCH /v3/roles/{role_id}
# Intended scope(s): system
#"identity:update_domain_role": "rule:admin_required"
# Delete domain role.
# DELETE /v3/roles/{role_id}
# Intended scope(s): system
#"identity:delete_domain_role": "rule:admin_required"
# List role assignments.
# GET /v3/role_assignments
# HEAD /v3/role_assignments
# Intended scope(s): system
#"identity:list_role_assignments": "rule:admin_required"
# List all role assignments for a given tree of hierarchical projects.
# GET /v3/role_assignments?include_subtree
# HEAD /v3/role_assignments?include_subtree
# Intended scope(s): project
#"identity:list_role_assignments_for_tree": "rule:admin_required"
# Show service details.
# GET /v3/services/{service_id}
# Intended scope(s): system
#"identity:get_service": "rule:admin_required"
# List services.
# GET /v3/services
# Intended scope(s): system
#"identity:list_services": "rule:admin_required"
# Create service.
# POST /v3/services
# Intended scope(s): system
#"identity:create_service": "rule:admin_required"
# Update service.
# PATCH /v3/services/{service_id}
# Intended scope(s): system
#"identity:update_service": "rule:admin_required"
# Delete service.
# DELETE /v3/services/{service_id}
# Intended scope(s): system
#"identity:delete_service": "rule:admin_required"
# Create federated service provider.
# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:create_service_provider": "rule:admin_required"
# List federated service providers.
# GET /v3/OS-FEDERATION/service_providers
# HEAD /v3/OS-FEDERATION/service_providers
# Intended scope(s): system
#"identity:list_service_providers": "rule:admin_required"
# Get federated service provider.
# GET /v3/OS-FEDERATION/service_providers/{service_provider_id}
# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:get_service_provider": "rule:admin_required"
# Update federated service provider.
# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:update_service_provider": "rule:admin_required"
# Delete federated service provider.
# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:delete_service_provider": "rule:admin_required"
# List revoked PKI tokens.
# GET /v3/auth/tokens/OS-PKI/revoked
# Intended scope(s): system, project
#"identity:revocation_list": "rule:service_or_admin"
# Check a token.
# HEAD /v3/auth/tokens
#"identity:check_token": "rule:admin_or_token_subject"
# Validate a token.
# GET /v3/auth/tokens
#"identity:validate_token": "rule:service_admin_or_token_subject"
# Revoke a token.
# DELETE /v3/auth/tokens
#"identity:revoke_token": "rule:admin_or_token_subject"
# Create trust.
# POST /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"
# List trusts.
# GET /v3/OS-TRUST/trusts
# HEAD /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:list_trusts": ""
# List roles delegated by a trust.
# GET /v3/OS-TRUST/trusts/{trust_id}/roles
# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles
# Intended scope(s): project
#"identity:list_roles_for_trust": ""
# Check if trust delegates a particular role.
# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_role_for_trust": ""
# Revoke trust.
# DELETE /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): project
#"identity:delete_trust": ""
# Get trust.
# GET /v3/OS-TRUST/trusts/{trust_id}
# HEAD /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): project
#"identity:get_trust": ""
# Show user details.
# GET /v3/users/{user_id}
# HEAD /v3/users/{user_id}
#"identity:get_user": "rule:admin_or_owner"
# List users.
# GET /v3/users
# HEAD /v3/users
# Intended scope(s): system
#"identity:list_users": "rule:admin_required"
# List all projects a user has access to via role assignments.
# GET /v3/auth/projects
#"identity:list_projects_for_user": ""
# List all domains a user has access to via role assignments.
# GET /v3/auth/domains
#"identity:list_domains_for_user": ""
# Create a user.
# POST /v3/users
# Intended scope(s): system
#"identity:create_user": "rule:admin_required"
# Update a user, including administrative password resets.
# PATCH /v3/users/{user_id}
# Intended scope(s): system
#"identity:update_user": "rule:admin_required"
# Delete a user.
# DELETE /v3/users/{user_id}
# Intended scope(s): system
#"identity:delete_user": "rule:admin_required"
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.