Policy configuration¶
Warning
JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Configuration¶
The following is an overview of all available policies in Keystone.
For a sample configuration file, refer to policy.yaml.
keystone¶
admin_required
- Default:
role:admin or is_admin:1
(no description provided)
service_role
- Default:
role:service
(no description provided)
service_or_admin
- Default:
rule:admin_required or rule:service_role
(no description provided)
owner
- Default:
user_id:%(user_id)s
(no description provided)
admin_or_owner
- Default:
rule:admin_required or rule:owner
(no description provided)
token_subject
- Default:
user_id:%(target.token.user_id)s
(no description provided)
admin_or_token_subject
- Default:
rule:admin_required or rule:token_subject
(no description provided)
service_admin_or_token_subject
- Default:
rule:service_or_admin or rule:token_subject
(no description provided)
domain_managed_target_role
- Default:
'manager':%(target.role.name)s or 'member':%(target.role.name)s or 'reader':%(target.role.name)s
(no description provided)
identity:get_access_rule
- Default:
(role:reader and system_scope:all) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}/access_rules/{access_rule_id}
HEAD
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types:
system
project
Show access rule details.
identity:list_access_rules
- Default:
(role:reader and system_scope:all) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}/access_rules
HEAD
/v3/users/{user_id}/access_rules
- Scope Types:
system
project
List access rules for a user.
identity:delete_access_rule
- Default:
(role:admin and system_scope:all) or user_id:%(target.user.id)s
- Operations:
DELETE
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types:
system
project
Delete an access_rule.
identity:authorize_request_token
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-OAUTH1/authorize/{request_token_id}
- Scope Types:
project
Authorize OAUTH1 request token.
identity:get_access_token
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types:
project
Get OAUTH1 access token for user by access token ID.
identity:get_access_token_role
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
- Scope Types:
project
Get role for user OAUTH1 access token.
identity:list_access_tokens
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens
- Scope Types:
project
List OAUTH1 access tokens for user.
identity:list_access_token_roles
- Default:
rule:admin_required
- Operations:
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
- Scope Types:
project
List OAUTH1 access token roles.
identity:delete_access_token
- Default:
rule:admin_required
- Operations:
DELETE
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types:
project
Delete OAUTH1 access token.
identity:get_application_credential
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or rule:owner
- Operations:
GET
/v3/users/{user_id}/application_credentials/{application_credential_id}
HEAD
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types:
system
project
Show application credential details.
identity:list_application_credentials
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or rule:owner
- Operations:
GET
/v3/users/{user_id}/application_credentials
HEAD
/v3/users/{user_id}/application_credentials
- Scope Types:
system
project
List application credentials for a user.
identity:create_application_credential
- Default:
user_id:%(user_id)s
- Operations:
POST
/v3/users/{user_id}/application_credentials
- Scope Types:
project
Create an application credential.
identity:delete_application_credential
- Default:
rule:admin_or_owner
- Operations:
DELETE
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types:
system
project
Delete an application credential.
identity:get_auth_catalog
- Default:
<empty string>
- Operations:
GET
/v3/auth/catalog
HEAD
/v3/auth/catalog
Get service catalog.
identity:get_auth_projects
- Default:
<empty string>
- Operations:
GET
/v3/auth/projects
HEAD
/v3/auth/projects
List all projects a user has access to via role assignments.
identity:get_auth_domains
- Default:
<empty string>
- Operations:
GET
/v3/auth/domains
HEAD
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:get_auth_system
- Default:
<empty string>
- Operations:
GET
/v3/auth/system
HEAD
/v3/auth/system
List systems a user has access to via role assignments.
identity:get_consumer
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types:
system
project
Show OAUTH1 consumer details.
identity:list_consumers
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-OAUTH1/consumers
- Scope Types:
system
project
List OAUTH1 consumers.
identity:create_consumer
- Default:
rule:admin_required
- Operations:
POST
/v3/OS-OAUTH1/consumers
- Scope Types:
system
project
Create OAUTH1 consumer.
identity:update_consumer
- Default:
rule:admin_required
- Operations:
PATCH
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types:
system
project
Update OAUTH1 consumer.
identity:delete_consumer
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types:
system
project
Delete OAUTH1 consumer.
identity:get_credential
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
GET
/v3/credentials/{credential_id}
- Scope Types:
system
domain
project
Show credentials details.
identity:list_credentials
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
GET
/v3/credentials
- Scope Types:
system
domain
project
List credentials.
identity:create_credential
- Default:
(rule:admin_required) or user_id:%(target.credential.user_id)s
- Operations:
POST
/v3/credentials
- Scope Types:
system
domain
project
Create credential.
identity:update_credential
- Default:
(rule:admin_required) or user_id:%(target.credential.user_id)s
- Operations:
PATCH
/v3/credentials/{credential_id}
- Scope Types:
system
domain
project
Update credential.
identity:delete_credential
- Default:
(rule:admin_required) or user_id:%(target.credential.user_id)s
- Operations:
DELETE
/v3/credentials/{credential_id}
- Scope Types:
system
domain
project
Delete credential.
identity:get_domain
- Default:
rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s
- Operations:
GET
/v3/domains/{domain_id}
- Scope Types:
system
domain
project
Show domain details.
identity:list_domains
- Default:
rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)
- Operations:
GET
/v3/domains
- Scope Types:
system
domain
project
List domains.
identity:create_domain
- Default:
rule:admin_required
- Operations:
POST
/v3/domains
- Scope Types:
system
project
Create domain.
identity:update_domain
- Default:
rule:admin_required
- Operations:
PATCH
/v3/domains/{domain_id}
- Scope Types:
system
project
Update domain.
identity:delete_domain
- Default:
rule:admin_required
- Operations:
DELETE
/v3/domains/{domain_id}
- Scope Types:
system
project
Delete domain.
identity:create_domain_config
- Default:
rule:admin_required
- Operations:
PUT
/v3/domains/{domain_id}/config
- Scope Types:
system
project
Create domain configuration.
identity:get_domain_config
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/domains/{domain_id}/config
HEAD
/v3/domains/{domain_id}/config
GET
/v3/domains/{domain_id}/config/{group}
HEAD
/v3/domains/{domain_id}/config/{group}
GET
/v3/domains/{domain_id}/config/{group}/{option}
HEAD
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types:
system
project
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
identity:get_security_compliance_domain_config
- Default:
<empty string>
- Operations:
GET
/v3/domains/{domain_id}/config/security_compliance
HEAD
/v3/domains/{domain_id}/config/security_compliance
GET
/v3/domains/{domain_id}/config/security_compliance/{option}
HEAD
/v3/domains/{domain_id}/config/security_compliance/{option}
- Scope Types:
system
domain
project
Get security compliance domain configuration for either a domain or a specific option in a domain.
identity:update_domain_config
- Default:
rule:admin_required
- Operations:
PATCH
/v3/domains/{domain_id}/config
PATCH
/v3/domains/{domain_id}/config/{group}
PATCH
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types:
system
project
Update domain configuration for either a domain, specific group or a specific option in a group.
identity:delete_domain_config
- Default:
rule:admin_required
- Operations:
DELETE
/v3/domains/{domain_id}/config
DELETE
/v3/domains/{domain_id}/config/{group}
DELETE
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types:
system
project
Delete domain configuration for either a domain, specific group or a specific option in a group.
identity:get_domain_config_default
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/domains/config/default
HEAD
/v3/domains/config/default
GET
/v3/domains/config/{group}/default
HEAD
/v3/domains/config/{group}/default
GET
/v3/domains/config/{group}/{option}/default
HEAD
/v3/domains/config/{group}/{option}/default
- Scope Types:
system
project
Get domain configuration default for either a domain, specific group or a specific option in a group.
identity:ec2_get_credential
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations:
GET
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types:
system
project
Show ec2 credential details.
identity:ec2_list_credentials
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or rule:owner
- Operations:
GET
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types:
system
project
List ec2 credentials.
identity:ec2_create_credential
- Default:
rule:admin_or_owner
- Operations:
POST
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types:
system
project
Create ec2 credential.
identity:ec2_delete_credential
- Default:
(rule:admin_required) or user_id:%(target.credential.user_id)s
- Operations:
DELETE
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types:
system
project
Delete ec2 credential.
identity:get_endpoint
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/endpoints/{endpoint_id}
- Scope Types:
system
project
Show endpoint details.
identity:list_endpoints
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/endpoints
- Scope Types:
system
project
List endpoints.
identity:create_endpoint
- Default:
rule:admin_required
- Operations:
POST
/v3/endpoints
- Scope Types:
system
project
Create endpoint.
identity:update_endpoint
- Default:
rule:admin_required
- Operations:
PATCH
/v3/endpoints/{endpoint_id}
- Scope Types:
system
project
Update endpoint.
identity:delete_endpoint
- Default:
rule:admin_required
- Operations:
DELETE
/v3/endpoints/{endpoint_id}
- Scope Types:
system
project
Delete endpoint.
identity:create_endpoint_group
- Default:
rule:admin_required
- Operations:
POST
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types:
system
project
Create endpoint group.
identity:list_endpoint_groups
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types:
system
project
List endpoint groups.
identity:get_endpoint_group
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types:
system
project
Get endpoint group.
identity:update_endpoint_group
- Default:
rule:admin_required
- Operations:
PATCH
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types:
system
project
Update endpoint group.
identity:delete_endpoint_group
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types:
system
project
Delete endpoint group.
identity:list_projects_associated_with_endpoint_group
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
- Scope Types:
system
project
List all projects associated with a specific endpoint group.
identity:list_endpoints_associated_with_endpoint_group
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
- Scope Types:
system
project
List all endpoints associated with an endpoint group.
identity:get_endpoint_group_in_project
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types:
system
project
Check if an endpoint group is associated with a project.
identity:list_endpoint_groups_for_project
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
- Scope Types:
system
project
List endpoint groups associated with a specific project.
identity:add_endpoint_group_to_project
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types:
system
project
Allow a project to access an endpoint group.
identity:remove_endpoint_group_from_project
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types:
system
project
Remove endpoint group from project.
identity:check_grant
- Default:
(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))
- Operations:
HEAD
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
GET
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
HEAD
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
GET
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
HEAD
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
GET
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
GET
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
HEAD
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types:
system
domain
project
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:list_grants
- Default:
(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))
- Operations:
GET
/v3/projects/{project_id}/users/{user_id}/roles
HEAD
/v3/projects/{project_id}/users/{user_id}/roles
GET
/v3/projects/{project_id}/groups/{group_id}/roles
HEAD
/v3/projects/{project_id}/groups/{group_id}/roles
GET
/v3/domains/{domain_id}/users/{user_id}/roles
HEAD
/v3/domains/{domain_id}/users/{user_id}/roles
GET
/v3/domains/{domain_id}/groups/{group_id}/roles
HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles
GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
- Scope Types:
system
domain
project
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
identity:create_grant
- Default:
(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) or ((role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and rule:domain_managed_target_role
- Operations:
PUT
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
PUT
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
PUT
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
PUT
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
PUT
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types:
system
domain
project
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:revoke_grant
- Default:
(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) or ((role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and rule:domain_managed_target_role
- Operations:
DELETE
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
DELETE
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
DELETE
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
DELETE
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
DELETE
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types:
system
domain
project
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
identity:list_system_grants_for_user
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles
- Scope Types:
system
project
List all grants a specific user has on the system.
identity:check_system_grant_for_user
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types:
system
project
Check if a user has a role on the system.
identity:create_system_grant_for_user
- Default:
rule:admin_required
- Operations:
[‘PUT’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types:
system
project
Grant a user a role on the system.
identity:revoke_system_grant_for_user
- Default:
rule:admin_required
- Operations:
[‘DELETE’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types:
system
project
Remove a role from a user on the system.
identity:list_system_grants_for_group
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles
- Scope Types:
system
project
List all grants a specific group has on the system.
identity:check_system_grant_for_group
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types:
system
project
Check if a group has a role on the system.
identity:create_system_grant_for_group
- Default:
rule:admin_required
- Operations:
[‘PUT’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types:
system
project
Grant a group a role on the system.
identity:revoke_system_grant_for_group
- Default:
rule:admin_required
- Operations:
[‘DELETE’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types:
system
project
Remove a role from a group on the system.
identity:get_group
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations:
GET
/v3/groups/{group_id}
HEAD
/v3/groups/{group_id}
- Scope Types:
system
domain
project
Show group details.
identity:list_groups
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations:
GET
/v3/groups
HEAD
/v3/groups
- Scope Types:
system
domain
project
List groups.
identity:list_groups_for_user
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s
- Operations:
GET
/v3/users/{user_id}/groups
HEAD
/v3/users/{user_id}/groups
- Scope Types:
system
domain
project
List groups to which a user belongs.
identity:create_group
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s)
- Operations:
POST
/v3/groups
- Scope Types:
system
domain
project
Create group.
identity:update_group
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s)
- Operations:
PATCH
/v3/groups/{group_id}
- Scope Types:
system
domain
project
Update group.
identity:delete_group
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s)
- Operations:
DELETE
/v3/groups/{group_id}
- Scope Types:
system
domain
project
Delete group.
identity:list_users_in_group
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations:
GET
/v3/groups/{group_id}/users
HEAD
/v3/groups/{group_id}/users
- Scope Types:
system
domain
project
List members of a specific group.
identity:remove_user_from_group
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations:
DELETE
/v3/groups/{group_id}/users/{user_id}
- Scope Types:
system
domain
project
Remove user from group.
identity:check_user_in_group
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations:
HEAD
/v3/groups/{group_id}/users/{user_id}
GET
/v3/groups/{group_id}/users/{user_id}
- Scope Types:
system
domain
project
Check whether a user is a member of a group.
identity:add_user_to_group
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations:
PUT
/v3/groups/{group_id}/users/{user_id}
- Scope Types:
system
domain
project
Add user to group.
identity:create_identity_provider
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
project
Create identity provider.
identity:list_identity_providers
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/identity_providers
HEAD
/v3/OS-FEDERATION/identity_providers
- Scope Types:
system
project
List identity providers.
identity:get_identity_provider
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}
HEAD
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
project
Get identity provider.
identity:update_identity_provider
- Default:
rule:admin_required
- Operations:
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
project
Update identity provider.
identity:delete_identity_provider
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types:
system
project
Delete identity provider.
identity:get_implied_role
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
project
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:list_implied_roles
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/roles/{prior_role_id}/implies
HEAD
/v3/roles/{prior_role_id}/implies
- Scope Types:
system
project
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
identity:create_implied_role
- Default:
rule:admin_required
- Operations:
PUT
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
project
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:delete_implied_role
- Default:
rule:admin_required
- Operations:
DELETE
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
project
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
identity:list_role_inference_rules
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/role_inferences
HEAD
/v3/role_inferences
- Scope Types:
system
project
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:check_implied_role
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
HEAD
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types:
system
project
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:get_limit_model
- Default:
<empty string>
- Operations:
GET
/v3/limits/model
HEAD
/v3/limits/model
- Scope Types:
system
domain
project
Get limit enforcement model.
identity:get_limit
- Default:
rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)
- Operations:
GET
/v3/limits/{limit_id}
HEAD
/v3/limits/{limit_id}
- Scope Types:
system
domain
project
Show limit details.
identity:list_limits
- Default:
<empty string>
- Operations:
GET
/v3/limits
HEAD
/v3/limits
- Scope Types:
system
domain
project
List limits.
identity:create_limits
- Default:
rule:admin_required
- Operations:
POST
/v3/limits
- Scope Types:
system
project
Create limits.
identity:update_limit
- Default:
rule:admin_required
- Operations:
PATCH
/v3/limits/{limit_id}
- Scope Types:
system
project
Update limit.
identity:delete_limit
- Default:
rule:admin_required
- Operations:
DELETE
/v3/limits/{limit_id}
- Scope Types:
system
project
Delete limit.
identity:create_mapping
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
project
Create a new federated mapping containing one or more sets of rules.
identity:get_mapping
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/mappings/{mapping_id}
HEAD
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
project
Get a federated mapping.
identity:list_mappings
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/mappings
HEAD
/v3/OS-FEDERATION/mappings
- Scope Types:
system
project
List federated mappings.
identity:delete_mapping
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
project
Delete a federated mapping.
identity:update_mapping
- Default:
rule:admin_required
- Operations:
PATCH
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types:
system
project
Update a federated mapping.
identity:get_policy
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/policies/{policy_id}
- Scope Types:
system
project
Show policy details.
identity:list_policies
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/policies
- Scope Types:
system
project
List policies.
identity:create_policy
- Default:
rule:admin_required
- Operations:
POST
/v3/policies
- Scope Types:
system
project
Create policy.
identity:update_policy
- Default:
rule:admin_required
- Operations:
PATCH
/v3/policies/{policy_id}
- Scope Types:
system
project
Update policy.
identity:delete_policy
- Default:
rule:admin_required
- Operations:
DELETE
/v3/policies/{policy_id}
- Scope Types:
system
project
Delete policy.
identity:create_policy_association_for_endpoint
- Default:
rule:admin_required
- Operations:
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types:
system
project
Associate a policy to a specific endpoint.
identity:check_policy_association_for_endpoint
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types:
system
project
Check policy association for endpoint.
identity:delete_policy_association_for_endpoint
- Default:
rule:admin_required
- Operations:
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types:
system
project
Delete policy association for endpoint.
identity:create_policy_association_for_service
- Default:
rule:admin_required
- Operations:
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types:
system
project
Associate a policy to a specific service.
identity:check_policy_association_for_service
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types:
system
project
Check policy association for service.
identity:delete_policy_association_for_service
- Default:
rule:admin_required
- Operations:
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types:
system
project
Delete policy association for service.
identity:create_policy_association_for_region_and_service
- Default:
rule:admin_required
- Operations:
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types:
system
project
Associate a policy to a specific region and service combination.
identity:check_policy_association_for_region_and_service
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types:
system
project
Check policy association for region and service.
identity:delete_policy_association_for_region_and_service
- Default:
rule:admin_required
- Operations:
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types:
system
project
Delete policy association for region and service.
identity:get_policy_for_endpoint
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
HEAD
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
- Scope Types:
system
project
Get policy for endpoint.
identity:list_endpoints_for_policy
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
- Scope Types:
system
project
List endpoints for policy.
identity:get_project
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations:
GET
/v3/projects/{project_id}
- Scope Types:
system
domain
project
Show project details.
identity:list_projects
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/projects
- Scope Types:
system
domain
project
List projects.
identity:list_user_projects
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}/projects
- Scope Types:
system
domain
project
List projects for user.
identity:create_project
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
POST
/v3/projects
- Scope Types:
system
domain
project
Create project.
identity:update_project
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
PATCH
/v3/projects/{project_id}
- Scope Types:
system
domain
project
Update project.
identity:delete_project
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
DELETE
/v3/projects/{project_id}
- Scope Types:
system
domain
project
Delete project.
identity:list_project_tags
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations:
GET
/v3/projects/{project_id}/tags
HEAD
/v3/projects/{project_id}/tags
- Scope Types:
system
domain
project
List tags for a project.
identity:get_project_tag
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations:
GET
/v3/projects/{project_id}/tags/{value}
HEAD
/v3/projects/{project_id}/tags/{value}
- Scope Types:
system
domain
project
Check if project contains a tag.
identity:update_project_tags
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
PUT
/v3/projects/{project_id}/tags
- Scope Types:
system
domain
project
Replace all tags on a project with the new set of tags.
identity:create_project_tag
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
PUT
/v3/projects/{project_id}/tags/{value}
- Scope Types:
system
domain
project
Add a single tag to a project.
identity:delete_project_tags
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
DELETE
/v3/projects/{project_id}/tags
- Scope Types:
system
domain
project
Remove all tags from a project.
identity:delete_project_tag
- Default:
(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
- Operations:
DELETE
/v3/projects/{project_id}/tags/{value}
- Scope Types:
system
domain
project
Delete a specified tag from project.
identity:list_projects_for_endpoint
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
- Scope Types:
system
project
List projects allowed to access an endpoint.
identity:add_endpoint_to_project
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types:
system
project
Allow project to access an endpoint.
identity:check_endpoint_in_project
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
HEAD
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types:
system
project
Check if a project is allowed to access an endpoint.
identity:list_endpoints_for_project
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints
- Scope Types:
system
project
List the endpoints a project is allowed to access.
identity:remove_endpoint_from_project
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types:
system
project
Remove access to an endpoint from a project that has previously been given explicit access.
identity:create_protocol
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
project
Create federated protocol.
identity:update_protocol
- Default:
rule:admin_required
- Operations:
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
project
Update federated protocol.
identity:get_protocol
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
project
Get federated protocol.
identity:list_protocols
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
- Scope Types:
system
project
List federated protocols.
identity:delete_protocol
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types:
system
project
Delete federated protocol.
identity:get_region
- Default:
<empty string>
- Operations:
GET
/v3/regions/{region_id}
HEAD
/v3/regions/{region_id}
- Scope Types:
system
domain
project
Show region details.
identity:list_regions
- Default:
<empty string>
- Operations:
GET
/v3/regions
HEAD
/v3/regions
- Scope Types:
system
domain
project
List regions.
identity:create_region
- Default:
rule:admin_required
- Operations:
POST
/v3/regions
PUT
/v3/regions/{region_id}
- Scope Types:
system
project
Create region.
identity:update_region
- Default:
rule:admin_required
- Operations:
PATCH
/v3/regions/{region_id}
- Scope Types:
system
project
Update region.
identity:delete_region
- Default:
rule:admin_required
- Operations:
DELETE
/v3/regions/{region_id}
- Scope Types:
system
project
Delete region.
identity:get_registered_limit
- Default:
<empty string>
- Operations:
GET
/v3/registered_limits/{registered_limit_id}
HEAD
/v3/registered_limits/{registered_limit_id}
- Scope Types:
system
domain
project
Show registered limit details.
identity:list_registered_limits
- Default:
<empty string>
- Operations:
GET
/v3/registered_limits
HEAD
/v3/registered_limits
- Scope Types:
system
domain
project
List registered limits.
identity:create_registered_limits
- Default:
rule:admin_required
- Operations:
POST
/v3/registered_limits
- Scope Types:
system
project
Create registered limits.
identity:update_registered_limit
- Default:
rule:admin_required
- Operations:
PATCH
/v3/registered_limits/{registered_limit_id}
- Scope Types:
system
project
Update registered limit.
identity:delete_registered_limit
- Default:
rule:admin_required
- Operations:
DELETE
/v3/registered_limits/{registered_limit_id}
- Scope Types:
system
project
Delete registered limit.
identity:list_revoke_events
- Default:
rule:service_or_admin
- Operations:
GET
/v3/OS-REVOKE/events
- Scope Types:
system
project
List revocation events.
identity:get_role
- Default:
(rule:admin_required or (role:reader and system_scope:all)) or (role:manager and rule:domain_managed_target_role)
- Operations:
GET
/v3/roles/{role_id}
HEAD
/v3/roles/{role_id}
- Scope Types:
system
domain
project
Show role details.
identity:list_roles
- Default:
(rule:admin_required or (role:reader and system_scope:all)) or (role:manager and not domain_id:None)
- Operations:
GET
/v3/roles
HEAD
/v3/roles
- Scope Types:
system
domain
project
List roles.
identity:create_role
- Default:
rule:admin_required
- Operations:
POST
/v3/roles
- Scope Types:
system
project
Create role.
identity:update_role
- Default:
rule:admin_required
- Operations:
PATCH
/v3/roles/{role_id}
- Scope Types:
system
project
Update role.
identity:delete_role
- Default:
rule:admin_required
- Operations:
DELETE
/v3/roles/{role_id}
- Scope Types:
system
project
Delete role.
identity:get_domain_role
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/roles/{role_id}
HEAD
/v3/roles/{role_id}
- Scope Types:
system
project
Show domain role.
identity:list_domain_roles
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/roles?domain_id={domain_id}
HEAD
/v3/roles?domain_id={domain_id}
- Scope Types:
system
project
List domain roles.
identity:create_domain_role
- Default:
rule:admin_required
- Operations:
POST
/v3/roles
- Scope Types:
system
project
Create domain role.
identity:update_domain_role
- Default:
rule:admin_required
- Operations:
PATCH
/v3/roles/{role_id}
- Scope Types:
system
project
Update domain role.
identity:delete_domain_role
- Default:
rule:admin_required
- Operations:
DELETE
/v3/roles/{role_id}
- Scope Types:
system
project
Delete domain role.
identity:list_role_assignments
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/role_assignments
HEAD
/v3/role_assignments
- Scope Types:
system
domain
project
List role assignments.
identity:list_role_assignments_for_tree
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/role_assignments?include_subtree
HEAD
/v3/role_assignments?include_subtree
- Scope Types:
system
domain
project
List all role assignments for a given tree of hierarchical projects.
identity:get_service
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/services/{service_id}
- Scope Types:
system
project
Show service details.
identity:list_services
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/services
- Scope Types:
system
project
List services.
identity:create_service
- Default:
rule:admin_required
- Operations:
POST
/v3/services
- Scope Types:
system
project
Create service.
identity:update_service
- Default:
rule:admin_required
- Operations:
PATCH
/v3/services/{service_id}
- Scope Types:
system
project
Update service.
identity:delete_service
- Default:
rule:admin_required
- Operations:
DELETE
/v3/services/{service_id}
- Scope Types:
system
project
Delete service.
identity:create_service_provider
- Default:
rule:admin_required
- Operations:
PUT
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
project
Create federated service provider.
identity:list_service_providers
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/service_providers
HEAD
/v3/OS-FEDERATION/service_providers
- Scope Types:
system
project
List federated service providers.
identity:get_service_provider
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-FEDERATION/service_providers/{service_provider_id}
HEAD
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
project
Get federated service provider.
identity:update_service_provider
- Default:
rule:admin_required
- Operations:
PATCH
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
project
Update federated service provider.
identity:delete_service_provider
- Default:
rule:admin_required
- Operations:
DELETE
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types:
system
project
Delete federated service provider.
identity:revocation_list
- Default:
rule:service_or_admin
- Operations:
GET
/v3/auth/tokens/OS-PKI/revoked
- Scope Types:
system
project
List revoked PKI tokens.
identity:check_token
- Default:
rule:admin_required or (role:reader and system_scope:all) or rule:token_subject
- Operations:
HEAD
/v3/auth/tokens
- Scope Types:
system
domain
project
Check a token.
identity:validate_token
- Default:
rule:admin_required or (role:reader and system_scope:all) or rule:service_role or rule:token_subject
- Operations:
GET
/v3/auth/tokens
- Scope Types:
system
domain
project
Validate a token.
identity:revoke_token
- Default:
rule:admin_required or rule:token_subject
- Operations:
DELETE
/v3/auth/tokens
- Scope Types:
system
domain
project
Revoke a token.
identity:create_trust
- Default:
user_id:%(trust.trustor_user_id)s
- Operations:
POST
/v3/OS-TRUST/trusts
- Scope Types:
project
Create trust.
identity:list_trusts
- Default:
rule:admin_required or (role:reader and system_scope:all)
- Operations:
GET
/v3/OS-TRUST/trusts
HEAD
/v3/OS-TRUST/trusts
- Scope Types:
system
project
List trusts.
identity:list_trusts_for_trustor
- Default:
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)
- Operations:
GET
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
HEAD
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
- Scope Types:
system
project
List trusts for trustor.
identity:list_trusts_for_trustee
- Default:
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)
- Operations:
GET
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
HEAD
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
- Scope Types:
system
project
List trusts for trustee.
identity:list_roles_for_trust
- Default:
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)
- Operations:
GET
/v3/OS-TRUST/trusts/{trust_id}/roles
HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles
- Scope Types:
system
project
List roles delegated by a trust.
identity:get_role_for_trust
- Default:
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)
- Operations:
GET
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
- Scope Types:
system
project
Check if trust delegates a particular role.
identity:delete_trust
- Default:
rule:admin_required or user_id:%(target.trust.trustor_user_id)s
- Operations:
DELETE
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types:
system
project
Revoke trust.
identity:get_trust
- Default:
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)
- Operations:
GET
/v3/OS-TRUST/trusts/{trust_id}
HEAD
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types:
system
project
Get trust.
identity:get_user
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
- Operations:
GET
/v3/users/{user_id}
HEAD
/v3/users/{user_id}
- Scope Types:
system
domain
project
Show user details.
identity:list_users
- Default:
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations:
GET
/v3/users
HEAD
/v3/users
- Scope Types:
system
domain
project
List users.
identity:list_projects_for_user
- Default:
<empty string>
- Operations:
GET `` /v3/auth/projects``
List all projects a user has access to via role assignments.
identity:list_domains_for_user
- Default:
<empty string>
- Operations:
GET
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:create_user
- Default:
(rule:admin_required) or (role:manager and token.domain.id:%(target.user.domain_id)s)
- Operations:
POST
/v3/users
- Scope Types:
system
domain
project
Create a user.
identity:update_user
- Default:
(rule:admin_required) or (role:manager and token.domain.id:%(target.user.domain_id)s)
- Operations:
PATCH
/v3/users/{user_id}
- Scope Types:
system
domain
project
Update a user, including administrative password resets.
identity:delete_user
- Default:
(rule:admin_required) or (role:manager and token.domain.id:%(target.user.domain_id)s)
- Operations:
DELETE
/v3/users/{user_id}
- Scope Types:
system
domain
project
Delete a user.