Manila Sample Policy

Warning

JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is a sample Manila policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary. It is here to help explain which policy operations protect specific Manila API, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default. For instance, if you want to change the default value of “share:create”, you only need to keep this single rule in your policy config file (/etc/manila/policy.yaml).

"system-admin": "role:admin and system_scope:all"
"system-member": "role:member and system_scope:all"
"system-reader": "role:reader and system_scope:all"
"project-admin": "role:admin and project_id:%(project_id)s"
"project-member": "role:member and project_id:%(project_id)s"
"project-reader": "role:reader and project_id:%(project_id)s"
"context_is_admin": "rule:system-admin"
# DEPRECATED
# "context_is_admin":"role:admin" has been deprecated since W in favor
# of "context_is_admin":"rule:system-admin".
# The `context_is_admin` check is superseded by more specific check
# strings that consume system and project scope attributes from
# keystone tokens.

"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"default": "rule:admin_or_owner"
"admin_api": "is_admin:True"
"availability_zone:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "availability_zone:index":"rule:default" has been deprecated since W
# in favor of "availability_zone:index":"(rule:system-reader) or
# (rule:project-reader)".
# The availability zone API now supports system scope and default
# roles.

"scheduler_stats:pools:index": "rule:system-reader"
# DEPRECATED
# "scheduler_stats:pools:index":"rule:admin_api" has been deprecated
# since W in favor of "scheduler_stats:pools:index":"rule:system-
# reader".
# The storage pool statistics API now support system scope and default
# roles.

"scheduler_stats:pools:detail": "rule:system-reader"
# DEPRECATED
# "scheduler_stats:pools:detail":"rule:admin_api" has been deprecated
# since W in favor of "scheduler_stats:pools:detail":"rule:system-
# reader".
# The storage pool statistics API now support system scope and default
# roles.

"share:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:create":"" has been deprecated since W in favor of
# "share:create":"(rule:system-admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:create_public_share": "rule:system-admin"
# DEPRECATED
# "share:create_public_share":"rule:admin_api" has been deprecated
# since W in favor of "share:create_public_share":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:get": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share:get":"rule:default" has been deprecated since W in favor of
# "share:get":"(rule:system-reader) or (rule:project-reader)".
# The share API now supports system scope and default roles.

"share:get_all": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share:get_all":"rule:default" has been deprecated since W in favor
# of "share:get_all":"(rule:system-reader) or (rule:project-reader)".
# The share API now supports system scope and default roles.

"share:update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:update":"rule:default" has been deprecated since W in favor
# of "share:update":"(rule:system-admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:set_public_share": "rule:system-admin"
# DEPRECATED
# "share:set_public_share":"rule:admin_api" has been deprecated since
# W in favor of "share:set_public_share":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:delete":"rule:default" has been deprecated since W in favor
# of "share:delete":"(rule:system-admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:soft_delete": "(rule:system-admin) or (rule:project-member)"
"share:restore": "(rule:system-admin) or (rule:project-member)"
"share:force_delete": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share:force_delete":"rule:admin_api" has been deprecated since W in
# favor of "share:force_delete":"(rule:system-admin) or (rule:project-
# admin)".
# The share API now supports system scope and default roles.

"share:manage": "rule:system-admin"
# DEPRECATED
# "share:manage":"rule:admin_api" has been deprecated since W in favor
# of "share:manage":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:unmanage": "rule:system-admin"
# DEPRECATED
# "share:unmanage":"rule:admin_api" has been deprecated since W in
# favor of "share:unmanage":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:list_by_host": "rule:system-reader"
# DEPRECATED
# "share:list_by_host":"rule:admin_api" has been deprecated since W in
# favor of "share:list_by_host":"rule:system-reader".
# The share API now supports system scope and default roles.

"share:list_by_share_server_id": "rule:system-reader"
# DEPRECATED
# "share:list_by_share_server_id":"rule:admin_api" has been deprecated
# since W in favor of "share:list_by_share_server_id":"rule:system-
# reader".
# The share API now supports system scope and default roles.

"share:access_get": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share:access_get":"rule:default" has been deprecated since W in
# favor of "share:access_get":"(rule:system-reader) or (rule:project-
# reader)".
# The share API now supports system scope and default roles.

"share:access_get_all": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share:access_get_all":"rule:default" has been deprecated since W in
# favor of "share:access_get_all":"(rule:system-reader) or
# (rule:project-reader)".
# The share API now supports system scope and default roles.

"share:extend": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:extend":"rule:default" has been deprecated since W in favor
# of "share:extend":"(rule:system-admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:force_extend": "(rule:system-admin) or (rule:project-admin)"
"share:shrink": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:shrink":"rule:default" has been deprecated since W in favor
# of "share:shrink":"(rule:system-admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:migration_start": "rule:system-admin"
# DEPRECATED
# "share:migration_start":"rule:admin_api" has been deprecated since W
# in favor of "share:migration_start":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:migration_complete": "rule:system-admin"
# DEPRECATED
# "share:migration_complete":"rule:admin_api" has been deprecated
# since W in favor of "share:migration_complete":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:migration_cancel": "rule:system-admin"
# DEPRECATED
# "share:migration_cancel":"rule:admin_api" has been deprecated since
# W in favor of "share:migration_cancel":"rule:system-admin".
# The share API now supports system scope and default roles.

"share:migration_get_progress": "rule:system-reader"
# DEPRECATED
# "share:migration_get_progress":"rule:admin_api" has been deprecated
# since W in favor of "share:migration_get_progress":"rule:system-
# reader".
# The share API now supports system scope and default roles.

"share:reset_task_state": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share:reset_task_state":"rule:admin_api" has been deprecated since
# W in favor of "share:reset_task_state":"(rule:system-admin) or
# (rule:project-admin)".
# The share API now supports system scope and default roles.

"share:reset_status": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share:reset_status":"rule:admin_api" has been deprecated since W in
# favor of "share:reset_status":"(rule:system-admin) or (rule:project-
# admin)".
# The share API now supports system scope and default roles.

"share:revert_to_snapshot": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:revert_to_snapshot":"rule:default" has been deprecated since
# W in favor of "share:revert_to_snapshot":"(rule:system-admin) or
# (rule:project-member)".
# The share API now supports system scope and default roles.

"share:allow_access": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:allow_access":"rule:default" has been deprecated since W in
# favor of "share:allow_access":"(rule:system-admin) or (rule:project-
# member)".
# The share API now supports system scope and default roles.

"share:deny_access": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:deny_access":"rule:default" has been deprecated since W in
# favor of "share:deny_access":"(rule:system-admin) or (rule:project-
# member)".
# The share API now supports system scope and default roles.

"share:update_share_metadata": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:update_share_metadata":"rule:default" has been deprecated
# since W in favor of "share:update_share_metadata":"(rule:system-
# admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:delete_share_metadata": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:delete_share_metadata":"rule:default" has been deprecated
# since W in favor of "share:delete_share_metadata":"(rule:system-
# admin) or (rule:project-member)".
# The share API now supports system scope and default roles.

"share:get_share_metadata": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share:get_share_metadata":"rule:default" has been deprecated since
# W in favor of "share:get_share_metadata":"(rule:system-reader) or
# (rule:project-reader)".
# The share API now supports system scope and default roles.

"share:create_snapshot": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:create_snapshot":"rule:default" has been deprecated since W
# in favor of "share:create_snapshot":"(rule:system-admin) or
# (rule:project-member)".
# The share API now supports system scope and default roles.

"share:delete_snapshot": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:delete_snapshot":"rule:default" has been deprecated since W
# in favor of "share:delete_snapshot":"(rule:system-admin) or
# (rule:project-member)".
# The share API now supports system scope and default roles.

"share:snapshot_update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share:snapshot_update":"rule:default" has been deprecated since W
# in favor of "share:snapshot_update":"(rule:system-admin) or
# (rule:project-member)".
# The share API now supports system scope and default roles.

"share:update_admin_only_metadata": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share:update_admin_only_metadata":"rule:admin_api" has been
# deprecated since YOGA in favor of
# "share:update_admin_only_metadata":"(rule:system-admin) or
# (rule:project-admin)".
# The share API now supports system scope and default roles.

"share_instance_export_location:index": "rule:system-reader"
# DEPRECATED
# "share_instance_export_location:index":"rule:admin_api" has been
# deprecated since W in favor of
# "share_instance_export_location:index":"rule:system-reader".
# The share instance export location API now supports system scope and
# default roles.

"share_instance_export_location:show": "rule:system-reader"
# DEPRECATED
# "share_instance_export_location:show":"rule:admin_api" has been
# deprecated since W in favor of
# "share_instance_export_location:show":"rule:system-reader".
# The share instance export location API now supports system scope and
# default roles.

"share_type:create": "rule:system-admin"
# DEPRECATED
# "share_type:create":"rule:admin_api" has been deprecated since W in
# favor of "share_type:create":"rule:system-admin".
# The share type API now supports system scope and default roles.

"share_type:update": "rule:system-admin"
# DEPRECATED
# "share_type:update":"rule:admin_api" has been deprecated since W in
# favor of "share_type:update":"rule:system-admin".
# The share type API now supports system scope and default roles.

"share_type:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_type:show":"rule:default" has been deprecated since W in
# favor of "share_type:show":"(rule:system-reader) or (rule:project-
# reader)".
# The share type API now supports system scope and default roles.

"share_type:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_type:index":"rule:default" has been deprecated since W in
# favor of "share_type:index":"(rule:system-reader) or (rule:project-
# reader)".
# The share type API now supports system scope and default roles.

"share_type:default": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_type:default":"rule:default" has been deprecated since W in
# favor of "share_type:default":"(rule:system-reader) or
# (rule:project-reader)".
# The share type API now supports system scope and default roles.

"share_type:delete": "rule:system-admin"
# DEPRECATED
# "share_type:delete":"rule:admin_api" has been deprecated since W in
# favor of "share_type:delete":"rule:system-admin".
# The share type API now supports system scope and default roles.

"share_type:list_project_access": "rule:system-reader"
# DEPRECATED
# "share_type:list_project_access":"rule:admin_api" has been
# deprecated since W in favor of
# "share_type:list_project_access":"rule:system-reader".
# The share type API now supports system scope and default roles.

"share_type:add_project_access": "rule:system-admin"
# DEPRECATED
# "share_type:add_project_access":"rule:admin_api" has been deprecated
# since W in favor of "share_type:add_project_access":"rule:system-
# admin".
# The share type API now supports system scope and default roles.

"share_type:remove_project_access": "rule:system-admin"
# DEPRECATED
# "share_type:remove_project_access":"rule:admin_api" has been
# deprecated since W in favor of
# "share_type:remove_project_access":"rule:system-admin".
# The share type API now supports system scope and default roles.

"share_types_extra_spec:create": "rule:system-admin"
# DEPRECATED
# "share_types_extra_spec:create":"rule:admin_api" has been deprecated
# since W in favor of "share_types_extra_spec:create":"rule:system-
# admin".
# The share types extra specs API now supports system scope and
# default roles.

"share_types_extra_spec:show": "rule:system-reader"
# DEPRECATED
# "share_types_extra_spec:show":"rule:admin_api" has been deprecated
# since W in favor of "share_types_extra_spec:show":"rule:system-
# reader".
# The share types extra specs API now supports system scope and
# default roles.

"share_types_extra_spec:index": "rule:system-reader"
# DEPRECATED
# "share_types_extra_spec:index":"rule:admin_api" has been deprecated
# since W in favor of "share_types_extra_spec:index":"rule:system-
# reader".
# The share types extra specs API now supports system scope and
# default roles.

"share_types_extra_spec:update": "rule:system-admin"
# DEPRECATED
# "share_types_extra_spec:update":"rule:admin_api" has been deprecated
# since W in favor of "share_types_extra_spec:update":"rule:system-
# admin".
# The share types extra specs API now supports system scope and
# default roles.

"share_types_extra_spec:delete": "rule:system-admin"
# DEPRECATED
# "share_types_extra_spec:delete":"rule:admin_api" has been deprecated
# since W in favor of "share_types_extra_spec:delete":"rule:system-
# admin".
# The share types extra specs API now supports system scope and
# default roles.

"share_snapshot:get_snapshot": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_snapshot:get_snapshot":"rule:default" has been deprecated
# since W in favor of "share_snapshot:get_snapshot":"(rule:system-
# reader) or (rule:project-reader)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:get_all_snapshots": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_snapshot:get_all_snapshots":"rule:default" has been
# deprecated since W in favor of
# "share_snapshot:get_all_snapshots":"(rule:system-reader) or
# (rule:project-reader)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:force_delete": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_snapshot:force_delete":"rule:admin_api" has been deprecated
# since W in favor of "share_snapshot:force_delete":"(rule:system-
# admin) or (rule:project-admin)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:manage_snapshot": "rule:system-admin"
# DEPRECATED
# "share_snapshot:manage_snapshot":"rule:admin_api" has been
# deprecated since W in favor of
# "share_snapshot:manage_snapshot":"rule:system-admin".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:unmanage_snapshot": "rule:system-admin"
# DEPRECATED
# "share_snapshot:unmanage_snapshot":"rule:admin_api" has been
# deprecated since W in favor of
# "share_snapshot:unmanage_snapshot":"rule:system-admin".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:reset_status": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_snapshot:reset_status":"rule:admin_api" has been deprecated
# since W in favor of "share_snapshot:reset_status":"(rule:system-
# admin) or (rule:project-admin)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:access_list": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_snapshot:access_list":"rule:default" has been deprecated
# since W in favor of "share_snapshot:access_list":"(rule:system-
# reader) or (rule:project-reader)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:allow_access": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_snapshot:allow_access":"rule:default" has been deprecated
# since W in favor of "share_snapshot:allow_access":"(rule:system-
# admin) or (rule:project-member)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot:deny_access": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_snapshot:deny_access":"rule:default" has been deprecated
# since W in favor of "share_snapshot:deny_access":"(rule:system-
# admin) or (rule:project-member)".
# The share snapshot API now supports system scope and default roles.

"share_snapshot_export_location:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_snapshot_export_location:index":"rule:default" has been
# deprecated since W in favor of
# "share_snapshot_export_location:index":"(rule:system-reader) or
# (rule:project-reader)".
# The share snapshot location API now supports system scope and
# default roles.

"share_snapshot_export_location:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_snapshot_export_location:show":"rule:default" has been
# deprecated since W in favor of
# "share_snapshot_export_location:show":"(rule:system-reader) or
# (rule:project-reader)".
# The share snapshot location API now supports system scope and
# default roles.

"share_snapshot_instance:show": "rule:system-reader"
# DEPRECATED
# "share_snapshot_instance:show":"rule:admin_api" has been deprecated
# since W in favor of "share_snapshot_instance:show":"rule:system-
# reader".
# The share snapshot instance API now supports system scope and
# default roles.

"share_snapshot_instance:index": "rule:system-reader"
# DEPRECATED
# "share_snapshot_instance:index":"rule:admin_api" has been deprecated
# since W in favor of "share_snapshot_instance:index":"rule:system-
# reader".
# The share snapshot instance API now supports system scope and
# default roles.

"share_snapshot_instance:detail": "rule:system-reader"
# DEPRECATED
# "share_snapshot_instance:detail":"rule:admin_api" has been
# deprecated since W in favor of
# "share_snapshot_instance:detail":"rule:system-reader".
# The share snapshot instance API now supports system scope and
# default roles.

"share_snapshot_instance:reset_status": "rule:system-admin"
# DEPRECATED
# "share_snapshot_instance:reset_status":"rule:admin_api" has been
# deprecated since W in favor of
# "share_snapshot_instance:reset_status":"rule:system-admin".
# The share snapshot instance API now supports system scope and
# default roles.

"share_snapshot_instance_export_location:index": "rule:system-reader"
# DEPRECATED
# "share_snapshot_instance_export_location:index":"rule:admin_api" has
# been deprecated since W in favor of
# "share_snapshot_instance_export_location:index":"rule:system-
# reader".
# The share snapshot instance export location API now supports system
# scope and default roles.

"share_snapshot_instance_export_location:show": "rule:system-reader"
# DEPRECATED
# "share_snapshot_instance_export_location:show":"rule:admin_api" has
# been deprecated since W in favor of
# "share_snapshot_instance_export_location:show":"rule:system-reader".
# The share snapshot instance export location API now supports system
# scope and default roles.

"share_server:index": "rule:system-reader"
# DEPRECATED
# "share_server:index":"rule:admin_api" has been deprecated since W in
# favor of "share_server:index":"rule:system-reader".
# The share server API now supports system scope and default roles.

"share_server:show": "rule:system-reader"
# DEPRECATED
# "share_server:show":"rule:admin_api" has been deprecated since W in
# favor of "share_server:show":"rule:system-reader".
# The share server API now supports system scope and default roles.

"share_server:details": "rule:system-reader"
# DEPRECATED
# "share_server:details":"rule:admin_api" has been deprecated since W
# in favor of "share_server:details":"rule:system-reader".
# The share server API now supports system scope and default roles.

"share_server:delete": "rule:system-admin"
# DEPRECATED
# "share_server:delete":"rule:admin_api" has been deprecated since W
# in favor of "share_server:delete":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:manage_share_server": "rule:system-admin"
# DEPRECATED
# "share_server:manage_share_server":"rule:admin_api" has been
# deprecated since W in favor of
# "share_server:manage_share_server":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:unmanage_share_server": "rule:system-admin"
# DEPRECATED
# "share_server:unmanage_share_server":"rule:admin_api" has been
# deprecated since W in favor of
# "share_server:unmanage_share_server":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:reset_status": "rule:system-admin"
# DEPRECATED
# "share_server:reset_status":"rule:admin_api" has been deprecated
# since W in favor of "share_server:reset_status":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:share_server_migration_start": "rule:system-admin"
# DEPRECATED
# "share_server:share_server_migration_start":"rule:admin_api" has
# been deprecated since W in favor of
# "share_server:share_server_migration_start":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:share_server_migration_check": "rule:system-reader"
# DEPRECATED
# "share_server:share_server_migration_check":"rule:admin_api" has
# been deprecated since W in favor of
# "share_server:share_server_migration_check":"rule:system-reader".
# The share server API now supports system scope and default roles.

"share_server:share_server_migration_complete": "rule:system-admin"
# DEPRECATED
# "share_server:share_server_migration_complete":"rule:admin_api" has
# been deprecated since W in favor of
# "share_server:share_server_migration_complete":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:share_server_migration_cancel": "rule:system-admin"
# DEPRECATED
# "share_server:share_server_migration_cancel":"rule:admin_api" has
# been deprecated since W in favor of
# "share_server:share_server_migration_cancel":"rule:system-admin".
# The share server API now supports system scope and default roles.

"share_server:share_server_migration_get_progress": "rule:system-reader"
# DEPRECATED
# "share_server:share_server_migration_get_progress":"rule:admin_api"
# has been deprecated since W in favor of
# "share_server:share_server_migration_get_progress":"rule:system-
# reader".
# The share server API now supports system scope and default roles.

"share_server:share_server_reset_task_state": "rule:system-admin"
# DEPRECATED
# "share_server:share_server_reset_task_state":"rule:admin_api" has
# been deprecated since W in favor of
# "share_server:share_server_reset_task_state":"rule:system-admin".
# The share server API now supports system scope and default roles.

"service:index": "rule:system-reader"
# DEPRECATED
# "service:index":"rule:admin_api" has been deprecated since W in
# favor of "service:index":"rule:system-reader".
# The service API now supports system scope and default roles.

"service:update": "rule:system-admin"
# DEPRECATED
# "service:update":"rule:admin_api" has been deprecated since W in
# favor of "service:update":"rule:system-admin".
# The service API now supports system scope and default roles.

"quota_set:update": "rule:system-admin"
# DEPRECATED
# "quota_set:update":"rule:admin_api" has been deprecated since W in
# favor of "quota_set:update":"rule:system-admin".
# The quota API now supports system scope and default roles.

"quota_set:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "quota_set:show":"rule:default" has been deprecated since W in favor
# of "quota_set:show":"(rule:system-reader) or (rule:project-reader)".
# The quota API now supports system scope and default roles.

"quota_set:delete": "rule:system-admin"
# DEPRECATED
# "quota_set:delete":"rule:admin_api" has been deprecated since W in
# favor of "quota_set:delete":"rule:system-admin".
# The quota API now supports system scope and default roles.

"quota_class_set:update": "rule:system-admin"
# DEPRECATED
# "quota_class_set:update":"rule:admin_api" has been deprecated since
# W in favor of "quota_class_set:update":"rule:system-admin".
# The quota class API now supports system scope and default roles.

"quota_class_set:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "quota_class_set:show":"rule:default" has been deprecated since W in
# favor of "quota_class_set:show":"(rule:system-reader) or
# (rule:project-reader)".
# The quota class API now supports system scope and default roles.

"share_group_types_spec:create": "rule:system-admin"
# DEPRECATED
# "share_group_types_spec:create":"rule:admin_api" has been deprecated
# since W in favor of "share_group_types_spec:create":"rule:system-
# admin".
# The share group type specs API now support system scope and default
# roles.

"share_group_types_spec:index": "rule:system-reader"
# DEPRECATED
# "share_group_types_spec:index":"rule:admin_api" has been deprecated
# since W in favor of "share_group_types_spec:index":"rule:system-
# reader".
# The share group type specs API now support system scope and default
# roles.

"share_group_types_spec:show": "rule:system-reader"
# DEPRECATED
# "share_group_types_spec:show":"rule:admin_api" has been deprecated
# since W in favor of "share_group_types_spec:show":"rule:system-
# reader".
# The share group type specs API now support system scope and default
# roles.

"share_group_types_spec:update": "rule:system-admin"
# DEPRECATED
# "share_group_types_spec:update":"rule:admin_api" has been deprecated
# since W in favor of "share_group_types_spec:update":"rule:system-
# admin".
# The share group type specs API now support system scope and default
# roles.

"share_group_types_spec:delete": "rule:system-admin"
# DEPRECATED
# "share_group_types_spec:delete":"rule:admin_api" has been deprecated
# since W in favor of "share_group_types_spec:delete":"rule:system-
# admin".
# The share group type specs API now support system scope and default
# roles.

"share_group_type:create": "rule:system-admin"
# DEPRECATED
# "share_group_type:create":"rule:admin_api" has been deprecated since
# W in favor of "share_group_type:create":"rule:system-admin".
# The share group type API now supports system scope and default
# roles.

"share_group_type:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group_type:index":"rule:default" has been deprecated since W
# in favor of "share_group_type:index":"(rule:system-reader) or
# (rule:project-reader)".
# The share group type API now supports system scope and default
# roles.

"share_group_type:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group_type:show":"rule:default" has been deprecated since W
# in favor of "share_group_type:show":"(rule:system-reader) or
# (rule:project-reader)".
# The share group type API now supports system scope and default
# roles.

"share_group_type:default": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group_type:default":"rule:default" has been deprecated since
# W in favor of "share_group_type:default":"(rule:system-reader) or
# (rule:project-reader)".
# The share group type API now supports system scope and default
# roles.

"share_group_type:delete": "rule:system-admin"
# DEPRECATED
# "share_group_type:delete":"rule:admin_api" has been deprecated since
# W in favor of "share_group_type:delete":"rule:system-admin".
# The share group type API now supports system scope and default
# roles.

"share_group_type:list_project_access": "rule:system-reader"
# DEPRECATED
# "share_group_type:list_project_access":"rule:admin_api" has been
# deprecated since W in favor of
# "share_group_type:list_project_access":"rule:system-reader".
# The share group type API now supports system scope and default
# roles.

"share_group_type:add_project_access": "rule:system-admin"
# DEPRECATED
# "share_group_type:add_project_access":"rule:admin_api" has been
# deprecated since W in favor of
# "share_group_type:add_project_access":"rule:system-admin".
# The share group type API now supports system scope and default
# roles.

"share_group_type:remove_project_access": "rule:system-admin"
# DEPRECATED
# "share_group_type:remove_project_access":"rule:admin_api" has been
# deprecated since W in favor of
# "share_group_type:remove_project_access":"rule:system-admin".
# The share group type API now supports system scope and default
# roles.

"share_group_snapshot:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_group_snapshot:create":"rule:default" has been deprecated
# since W in favor of "share_group_snapshot:create":"(rule:system-
# admin) or (rule:project-member)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group_snapshot:get": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group_snapshot:get":"rule:default" has been deprecated since
# W in favor of "share_group_snapshot:get":"(rule:system-reader) or
# (rule:project-reader)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group_snapshot:get_all": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group_snapshot:get_all":"rule:default" has been deprecated
# since W in favor of "share_group_snapshot:get_all":"(rule:system-
# reader) or (rule:project-reader)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group_snapshot:update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_group_snapshot:update":"rule:default" has been deprecated
# since W in favor of "share_group_snapshot:update":"(rule:system-
# admin) or (rule:project-member)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group_snapshot:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_group_snapshot:delete":"rule:default" has been deprecated
# since W in favor of "share_group_snapshot:delete":"(rule:system-
# admin) or (rule:project-member)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group_snapshot:force_delete": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_group_snapshot:force_delete":"rule:admin_api" has been
# deprecated since W in favor of
# "share_group_snapshot:force_delete":"(rule:system-admin) or
# (rule:project-admin)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group_snapshot:reset_status": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_group_snapshot:reset_status":"rule:admin_api" has been
# deprecated since W in favor of
# "share_group_snapshot:reset_status":"(rule:system-admin) or
# (rule:project-admin)".
# The share group snapshots API now supports system scope and default
# roles.

"share_group:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_group:create":"rule:default" has been deprecated since W in
# favor of "share_group:create":"(rule:system-admin) or (rule:project-
# member)".
# The share group API now supports system scope and default roles.

"share_group:get": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group:get":"rule:default" has been deprecated since W in
# favor of "share_group:get":"(rule:system-reader) or (rule:project-
# reader)".
# The share group API now supports system scope and default roles.

"share_group:get_all": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_group:get_all":"rule:default" has been deprecated since W in
# favor of "share_group:get_all":"(rule:system-reader) or
# (rule:project-reader)".
# The share group API now supports system scope and default roles.

"share_group:update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_group:update":"rule:default" has been deprecated since W in
# favor of "share_group:update":"(rule:system-admin) or (rule:project-
# member)".
# The share group API now supports system scope and default roles.

"share_group:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_group:delete":"rule:default" has been deprecated since W in
# favor of "share_group:delete":"(rule:system-admin) or (rule:project-
# member)".
# The share group API now supports system scope and default roles.

"share_group:force_delete": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_group:force_delete":"rule:admin_api" has been deprecated
# since W in favor of "share_group:force_delete":"(rule:system-admin)
# or (rule:project-admin)".
# The share group API now supports system scope and default roles.

"share_group:reset_status": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_group:reset_status":"rule:admin_api" has been deprecated
# since W in favor of "share_group:reset_status":"(rule:system-admin)
# or (rule:project-admin)".
# The share group API now supports system scope and default roles.

"share_replica:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_replica:create":"rule:default" has been deprecated since W in
# favor of "share_replica:create":"(rule:system-admin) or
# (rule:project-member)".
# The share replica API now supports system scope and default roles.

"share_replica:get_all": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_replica:get_all":"rule:default" has been deprecated since W
# in favor of "share_replica:get_all":"(rule:system-reader) or
# (rule:project-reader)".
# The share replica API now supports system scope and default roles.

"share_replica:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_replica:show":"rule:default" has been deprecated since W in
# favor of "share_replica:show":"(rule:system-reader) or
# (rule:project-reader)".
# The share replica API now supports system scope and default roles.

"share_replica:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_replica:delete":"rule:default" has been deprecated since W in
# favor of "share_replica:delete":"(rule:system-admin) or
# (rule:project-member)".
# The share replica API now supports system scope and default roles.

"share_replica:force_delete": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_replica:force_delete":"rule:admin_api" has been deprecated
# since W in favor of "share_replica:force_delete":"(rule:system-
# admin) or (rule:project-admin)".
# The share replica API now supports system scope and default roles.

"share_replica:promote": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_replica:promote":"rule:default" has been deprecated since W
# in favor of "share_replica:promote":"(rule:system-admin) or
# (rule:project-member)".
# The share replica API now supports system scope and default roles.

"share_replica:resync": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_replica:resync":"rule:admin_api" has been deprecated since W
# in favor of "share_replica:resync":"(rule:system-admin) or
# (rule:project-admin)".
# The share replica API now supports system scope and default roles.

"share_replica:reset_replica_state": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_replica:reset_replica_state":"rule:admin_api" has been
# deprecated since W in favor of
# "share_replica:reset_replica_state":"(rule:system-admin) or
# (rule:project-admin)".
# The share replica API now supports system scope and default roles.

"share_replica:reset_status": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_replica:reset_status":"rule:admin_api" has been deprecated
# since W in favor of "share_replica:reset_status":"(rule:system-
# admin) or (rule:project-admin)".
# The share replica API now supports system scope and default roles.

"share_replica_export_location:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_replica_export_location:index":"rule:default" has been
# deprecated since W in favor of
# "share_replica_export_location:index":"(rule:system-reader) or
# (rule:project-reader)".
# The share replica export location API now supports system scope and
# default roles.

"share_replica_export_location:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_replica_export_location:show":"rule:default" has been
# deprecated since W in favor of
# "share_replica_export_location:show":"(rule:system-reader) or
# (rule:project-reader)".
# The share replica export location API now supports system scope and
# default roles.

"share_network:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:create":"rule:default" has been deprecated since W in
# favor of "share_network:create":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_network:show":"rule:default" has been deprecated since W in
# favor of "share_network:show":"(rule:system-reader) or
# (rule:project-reader)".
# The share network API now support system scope and default roles.

"share_network:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_network:index":"rule:default" has been deprecated since W in
# favor of "share_network:index":"(rule:system-reader) or
# (rule:project-reader)".
# The share network API now support system scope and default roles.

"share_network:detail": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_network:detail":"rule:default" has been deprecated since W in
# favor of "share_network:detail":"(rule:system-reader) or
# (rule:project-reader)".
# The share network API now support system scope and default roles.

"share_network:update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:update":"rule:default" has been deprecated since W in
# favor of "share_network:update":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:delete":"rule:default" has been deprecated since W in
# favor of "share_network:delete":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:add_security_service": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:add_security_service":"rule:default" has been
# deprecated since W in favor of
# "share_network:add_security_service":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:add_security_service_check": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:add_security_service_check":"rule:default" has been
# deprecated since W in favor of
# "share_network:add_security_service_check":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:remove_security_service": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:remove_security_service":"rule:default" has been
# deprecated since W in favor of
# "share_network:remove_security_service":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:update_security_service": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:update_security_service":"rule:default" has been
# deprecated since W in favor of
# "share_network:update_security_service":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:update_security_service_check": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:update_security_service_check":"rule:default" has
# been deprecated since W in favor of
# "share_network:update_security_service_check":"(rule:system-admin)
# or (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network:reset_status": "(rule:system-admin) or (rule:project-admin)"
# DEPRECATED
# "share_network:reset_status":"rule:admin_api" has been deprecated
# since W in favor of "share_network:reset_status":"(rule:system-
# admin) or (rule:project-admin)".
# The share network API now support system scope and default roles.

"share_network:get_all_share_networks": "rule:system-reader"
# DEPRECATED
# "share_network:get_all_share_networks":"rule:admin_api" has been
# deprecated since W in favor of
# "share_network:get_all_share_networks":"rule:system-reader".
# The share network API now support system scope and default roles.

"share_network:subnet_create_check": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network:subnet_create_check":"rule:default" has been
# deprecated since Yoga in favor of
# "share_network:subnet_create_check":"(rule:system-admin) or
# (rule:project-member)".
# The share network API now support system scope and default roles.

"share_network_subnet:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network_subnet:create":"rule:default" has been deprecated
# since W in favor of "share_network_subnet:create":"(rule:system-
# admin) or (rule:project-member)".
# The share network subnet API now supports system scope and default
# roles.

"share_network_subnet:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_network_subnet:delete":"rule:default" has been deprecated
# since W in favor of "share_network_subnet:delete":"(rule:system-
# admin) or (rule:project-member)".
# The share network subnet API now supports system scope and default
# roles.

"share_network_subnet:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_network_subnet:show":"rule:default" has been deprecated since
# W in favor of "share_network_subnet:show":"(rule:system-reader) or
# (rule:project-reader)".
# The share network subnet API now supports system scope and default
# roles.

"share_network_subnet:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_network_subnet:index":"rule:default" has been deprecated
# since W in favor of "share_network_subnet:index":"(rule:system-
# reader) or (rule:project-reader)".
# The share network subnet API now supports system scope and default
# roles.

"security_service:create": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "security_service:create":"rule:default" has been deprecated since W
# in favor of "security_service:create":"(rule:system-admin) or
# (rule:project-member)".
# The security service API now supports system scope and default
# roles.

"security_service:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "security_service:show":"rule:default" has been deprecated since W
# in favor of "security_service:show":"(rule:system-reader) or
# (rule:project-reader)".
# The security service API now supports system scope and default
# roles.

"security_service:detail": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "security_service:detail":"rule:default" has been deprecated since W
# in favor of "security_service:detail":"(rule:system-reader) or
# (rule:project-reader)".
# The security service API now supports system scope and default
# roles.

"security_service:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "security_service:index":"rule:default" has been deprecated since W
# in favor of "security_service:index":"(rule:system-reader) or
# (rule:project-reader)".
# The security service API now supports system scope and default
# roles.

"security_service:update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "security_service:update":"rule:default" has been deprecated since W
# in favor of "security_service:update":"(rule:system-admin) or
# (rule:project-member)".
# The security service API now supports system scope and default
# roles.

"security_service:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "security_service:delete":"rule:default" has been deprecated since W
# in favor of "security_service:delete":"(rule:system-admin) or
# (rule:project-member)".
# The security service API now supports system scope and default
# roles.

"security_service:get_all_security_services": "rule:system-reader"
# DEPRECATED
# "security_service:get_all_security_services":"rule:admin_api" has
# been deprecated since W in favor of
# "security_service:get_all_security_services":"rule:system-reader".
# The security service API now supports system scope and default
# roles.

"share_export_location:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_export_location:index":"rule:default" has been deprecated
# since W in favor of "share_export_location:index":"(rule:system-
# reader) or (rule:project-reader)".
# The share export location API now support system scope and default
# roles.

"share_export_location:show": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_export_location:show":"rule:default" has been deprecated
# since W in favor of "share_export_location:show":"(rule:system-
# reader) or (rule:project-reader)".
# The share export location API now support system scope and default
# roles.

"share_instance:index": "rule:system-reader"
# DEPRECATED
# "share_instance:index":"rule:admin_api" has been deprecated since W
# in favor of "share_instance:index":"rule:system-reader".
# The share instances API now supports system scope and default roles.

"share_instance:show": "rule:system-reader"
# DEPRECATED
# "share_instance:show":"rule:admin_api" has been deprecated since W
# in favor of "share_instance:show":"rule:system-reader".
# The share instances API now supports system scope and default roles.

"share_instance:force_delete": "rule:system-admin"
# DEPRECATED
# "share_instance:force_delete":"rule:admin_api" has been deprecated
# since W in favor of "share_instance:force_delete":"rule:system-
# admin".
# The share instances API now supports system scope and default roles.

"share_instance:reset_status": "rule:system-admin"
# DEPRECATED
# "share_instance:reset_status":"rule:admin_api" has been deprecated
# since W in favor of "share_instance:reset_status":"rule:system-
# admin".
# The share instances API now supports system scope and default roles.

"message:get": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "message:get":"rule:default" has been deprecated since W in favor of
# "message:get":"(rule:system-reader) or (rule:project-reader)".
# The messages API now supports system scope and default roles.

"message:get_all": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "message:get_all":"rule:default" has been deprecated since W in
# favor of "message:get_all":"(rule:system-reader) or (rule:project-
# reader)".
# The messages API now supports system scope and default roles.

"message:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "message:delete":"rule:default" has been deprecated since W in favor
# of "message:delete":"(rule:system-admin) or (rule:project-member)".
# The messages API now supports system scope and default roles.

"share_access_rule:get": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_access_rule:get":"rule:default" has been deprecated since W
# in favor of "share_access_rule:get":"(rule:system-reader) or
# (rule:project-reader)".
# The share access rule API now supports system scope and default
# roles.

"share_access_rule:index": "(rule:system-reader) or (rule:project-reader)"
# DEPRECATED
# "share_access_rule:index":"rule:default" has been deprecated since W
# in favor of "share_access_rule:index":"(rule:system-reader) or
# (rule:project-reader)".
# The share access rule API now supports system scope and default
# roles.

"share_access_metadata:update": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_access_metadata:update":"rule:default" has been deprecated
# since W in favor of "share_access_metadata:update":"(rule:system-
# admin) or (rule:project-member)".
# The share access metadata API now support system scope and default
# roles.

"share_access_metadata:delete": "(rule:system-admin) or (rule:project-member)"
# DEPRECATED
# "share_access_metadata:delete":"rule:default" has been deprecated
# since W in favor of "share_access_metadata:delete":"(rule:system-
# admin) or (rule:project-member)".
# The share access metadata API now support system scope and default
# roles.