Sample Policy File

The following is a sample neutron policy file for adaptation and use.

The sample policy can also be viewed in file form.

Important

The sample policy file is auto-generated from neutron when this documentation is built. You must ensure your version of neutron matches the version of this documentation.

# Rule for cloud admin access
#"context_is_admin": "role:admin"

# Default rule for the service-to-service APIs.
#"service_api": "role:service"

# Rule for resource owner access
#"owner": "tenant_id:%(tenant_id)s"

# Rule for admin or owner access
#"admin_or_owner": "rule:context_is_admin or rule:owner"

# Rule for advsvc role access
#"context_is_advsvc": "role:advsvc"

# Rule for admin or network owner access
#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"

# Rule for resource owner, admin or network owner access
#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"

# Rule for network owner access
#"network_owner": "tenant_id:%(network:tenant_id)s"

# Rule for admin-only access
#"admin_only": "rule:context_is_admin"

# Rule for regular user access
#"regular_user": ""

# Rule of shared network
#"shared": "field:networks:shared=True"

# Default access rule
#"default": "rule:admin_or_owner"

# Rule for common parent owner check
#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"

# Rule for common parent owner check
#"ext_parent_owner": "tenant_id:%(ext_parent:tenant_id)s"

# Rule for security group owner access
#"sg_owner": "tenant_id:%(security_group:tenant_id)s"

# Definition of a shared address group
#"shared_address_groups": "field:address_groups:shared=True"

# Get an address group
# GET  /address-groups
# GET  /address-groups/{id}
# Intended scope(s): project
#"get_address_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups"

# DEPRECATED
# "get_address_group":"rule:admin_or_owner or
# rule:shared_address_groups" has been deprecated since W in favor of
# "get_address_group":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_address_groups".
# The Address scope API now supports system scope and default roles.

# Definition of a shared address scope
#"shared_address_scopes": "field:address_scopes:shared=True"

# Create an address scope
# POST  /address-scopes
# Intended scope(s): project
#"create_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_address_scope":"rule:regular_user" has been deprecated since
# W in favor of "create_address_scope":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The Address scope API now supports system scope and default roles.

# Create a shared address scope
# POST  /address-scopes
# Intended scope(s): project
#"create_address_scope:shared": "rule:admin_only"

# DEPRECATED
# "create_address_scope:shared":"rule:admin_only" has been deprecated
# since W in favor of "create_address_scope:shared":"rule:admin_only".
# The Address scope API now supports system scope and default roles.

# Get an address scope
# GET  /address-scopes
# GET  /address-scopes/{id}
# Intended scope(s): project
#"get_address_scope": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes"

# DEPRECATED
# "get_address_scope":"rule:admin_or_owner or
# rule:shared_address_scopes" has been deprecated since W in favor of
# "get_address_scope":"rule:admin_only or role:reader and
# project_id:%(project_id)s or rule:shared_address_scopes".
# The Address scope API now supports system scope and default roles.

# Update an address scope
# PUT  /address-scopes/{id}
# Intended scope(s): project
#"update_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_address_scope":"rule:admin_or_owner" has been deprecated
# since W in favor of "update_address_scope":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The Address scope API now supports system scope and default roles.

# Update ``shared`` attribute of an address scope
# PUT  /address-scopes/{id}
# Intended scope(s): project
#"update_address_scope:shared": "rule:admin_only"

# DEPRECATED
# "update_address_scope:shared":"rule:admin_only" has been deprecated
# since W in favor of "update_address_scope:shared":"rule:admin_only".
# The Address scope API now supports system scope and default roles.

# Delete an address scope
# DELETE  /address-scopes/{id}
# Intended scope(s): project
#"delete_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_address_scope":"rule:admin_or_owner" has been deprecated
# since W in favor of "delete_address_scope":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The Address scope API now supports system scope and default roles.

# Create an agent
# POST  /agents/{id}
# Intended scope(s): project
#"create_agent": "rule:admin_only"

# Get an agent
# GET  /agents
# GET  /agents/{id}
# Intended scope(s): project
#"get_agent": "rule:admin_only"

# DEPRECATED
# "get_agent":"rule:admin_only" has been deprecated since W in favor
# of "get_agent":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Update an agent
# PUT  /agents/{id}
# Intended scope(s): project
#"update_agent": "rule:admin_only"

# DEPRECATED
# "update_agent":"rule:admin_only" has been deprecated since W in
# favor of "update_agent":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Delete an agent
# DELETE  /agents/{id}
# Intended scope(s): project
#"delete_agent": "rule:admin_only"

# DEPRECATED
# "delete_agent":"rule:admin_only" has been deprecated since W in
# favor of "delete_agent":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Add a network to a DHCP agent
# POST  /agents/{agent_id}/dhcp-networks
# Intended scope(s): project
#"create_dhcp-network": "rule:admin_only"

# DEPRECATED
# "create_dhcp-network":"rule:admin_only" has been deprecated since W
# in favor of "create_dhcp-network":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# List networks on a DHCP agent
# GET  /agents/{agent_id}/dhcp-networks
# Intended scope(s): project
#"get_dhcp-networks": "rule:admin_only"

# DEPRECATED
# "get_dhcp-networks":"rule:admin_only" has been deprecated since W in
# favor of "get_dhcp-networks":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Remove a network from a DHCP agent
# DELETE  /agents/{agent_id}/dhcp-networks/{network_id}
# Intended scope(s): project
#"delete_dhcp-network": "rule:admin_only"

# DEPRECATED
# "delete_dhcp-network":"rule:admin_only" has been deprecated since W
# in favor of "delete_dhcp-network":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Add a router to an L3 agent
# POST  /agents/{agent_id}/l3-routers
# Intended scope(s): project
#"create_l3-router": "rule:admin_only"

# DEPRECATED
# "create_l3-router":"rule:admin_only" has been deprecated since W in
# favor of "create_l3-router":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# List routers on an L3 agent
# GET  /agents/{agent_id}/l3-routers
# Intended scope(s): project
#"get_l3-routers": "rule:admin_only"

# DEPRECATED
# "get_l3-routers":"rule:admin_only" has been deprecated since W in
# favor of "get_l3-routers":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Remove a router from an L3 agent
# DELETE  /agents/{agent_id}/l3-routers/{router_id}
# Intended scope(s): project
#"delete_l3-router": "rule:admin_only"

# DEPRECATED
# "delete_l3-router":"rule:admin_only" has been deprecated since W in
# favor of "delete_l3-router":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# List DHCP agents hosting a network
# GET  /networks/{network_id}/dhcp-agents
# Intended scope(s): project
#"get_dhcp-agents": "rule:admin_only"

# DEPRECATED
# "get_dhcp-agents":"rule:admin_only" has been deprecated since W in
# favor of "get_dhcp-agents":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# List L3 agents hosting a router
# GET  /routers/{router_id}/l3-agents
# Intended scope(s): project
#"get_l3-agents": "rule:admin_only"

# DEPRECATED
# "get_l3-agents":"rule:admin_only" has been deprecated since W in
# favor of "get_l3-agents":"rule:admin_only".
# The Agent API now supports project scope and default roles.

# Get a project's auto-allocated topology
# GET  /auto-allocated-topology/{project_id}
# Intended scope(s): project
#"get_auto_allocated_topology": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_auto_allocated_topology":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "get_auto_allocated_topology":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The Auto allocated topology API now supports system scope and
# default roles.

# Delete a project's auto-allocated topology
# DELETE  /auto-allocated-topology/{project_id}
# Intended scope(s): project
#"delete_auto_allocated_topology": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_auto_allocated_topology":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "delete_auto_allocated_topology":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The Auto allocated topology API now supports system scope and
# default roles.

# List availability zones
# GET  /availability_zones
# Intended scope(s): project
#"get_availability_zone": "role:reader"

# DEPRECATED
# "get_availability_zone":"rule:regular_user" has been deprecated
# since W in favor of "get_availability_zone":"role:reader".
# The Availability Zone API now supports project scope and default
# roles.

# Create a templated of the security group rule
# POST  /default-security-group-rules
# Intended scope(s): project
#"create_default_security_group_rule": "rule:admin_only"

# DEPRECATED
# "create_default_security_group_rule":"rule:admin_only" has been
# deprecated since 2023.2 in favor of
# "create_default_security_group_rule":"rule:admin_only".
# The default security group rules API supports system scope and
# default roles.

# Get a templated of the security group rule
# GET  /default-security-group-rules
# GET  /default-security-group-rules/{id}
# Intended scope(s): project
#"get_default_security_group_rule": "role:reader"

# DEPRECATED
# "get_default_security_group_rule":"rule:regular_user" has been
# deprecated since 2023.2 in favor of
# "get_default_security_group_rule":"role:reader".
# The default security group rules API supports system scope and
# default roles.

# Delete a templated of the security group rule
# DELETE  /default-security-group-rules/{id}
# Intended scope(s): project
#"delete_default_security_group_rule": "rule:admin_only"

# DEPRECATED
# "delete_default_security_group_rule":"rule:admin_only" has been
# deprecated since 2023.2 in favor of
# "delete_default_security_group_rule":"rule:admin_only".
# The default security group rules API supports system scope and
# default roles.

# Create a flavor
# POST  /flavors
# Intended scope(s): project
#"create_flavor": "rule:admin_only"

# DEPRECATED
# "create_flavor":"rule:admin_only" has been deprecated since W in
# favor of "create_flavor":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Get a flavor
# GET  /flavors
# GET  /flavors/{id}
# Intended scope(s): project
#"get_flavor": "role:reader"

# DEPRECATED
# "get_flavor":"rule:regular_user" has been deprecated since W in
# favor of "get_flavor":"role:reader".
# The flavor API now supports project scope and default roles.

# Update a flavor
# PUT  /flavors/{id}
# Intended scope(s): project
#"update_flavor": "rule:admin_only"

# DEPRECATED
# "update_flavor":"rule:admin_only" has been deprecated since W in
# favor of "update_flavor":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Delete a flavor
# DELETE  /flavors/{id}
# Intended scope(s): project
#"delete_flavor": "rule:admin_only"

# DEPRECATED
# "delete_flavor":"rule:admin_only" has been deprecated since W in
# favor of "delete_flavor":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Create a service profile
# POST  /service_profiles
# Intended scope(s): project
#"create_service_profile": "rule:admin_only"

# DEPRECATED
# "create_service_profile":"rule:admin_only" has been deprecated since
# W in favor of "create_service_profile":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Get a service profile
# GET  /service_profiles
# GET  /service_profiles/{id}
# Intended scope(s): project
#"get_service_profile": "rule:admin_only"

# DEPRECATED
# "get_service_profile":"rule:admin_only" has been deprecated since W
# in favor of "get_service_profile":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Update a service profile
# PUT  /service_profiles/{id}
# Intended scope(s): project
#"update_service_profile": "rule:admin_only"

# DEPRECATED
# "update_service_profile":"rule:admin_only" has been deprecated since
# W in favor of "update_service_profile":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Delete a service profile
# DELETE  /service_profiles/{id}
# Intended scope(s): project
#"delete_service_profile": "rule:admin_only"

# DEPRECATED
# "delete_service_profile":"rule:admin_only" has been deprecated since
# W in favor of "delete_service_profile":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Get a flavor associated with a given service profiles. There is no
# corresponding GET operations in API currently. This rule is
# currently referred only in the DELETE of flavor_service_profile.
# Intended scope(s): project
#"get_flavor_service_profile": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_flavor_service_profile":"rule:regular_user" has been deprecated
# since W in favor of "get_flavor_service_profile":"(rule:admin_only)
# or (role:reader and project_id:%(project_id)s)".
# The flavor API now supports project scope and default roles.

# Associate a flavor with a service profile
# POST  /flavors/{flavor_id}/service_profiles
# Intended scope(s): project
#"create_flavor_service_profile": "rule:admin_only"

# DEPRECATED
# "create_flavor_service_profile":"rule:admin_only" has been
# deprecated since W in favor of
# "create_flavor_service_profile":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Disassociate a flavor with a service profile
# DELETE  /flavors/{flavor_id}/service_profiles/{profile_id}
# Intended scope(s): project
#"delete_flavor_service_profile": "rule:admin_only"

# DEPRECATED
# "delete_flavor_service_profile":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_flavor_service_profile":"rule:admin_only".
# The flavor API now supports project scope and default roles.

# Create a floating IP
# POST  /floatingips
# Intended scope(s): project
#"create_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_floatingip":"rule:regular_user" has been deprecated since W
# in favor of "create_floatingip":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The Floating IP API now supports system scope and default roles.

# Create a floating IP with a specific IP address
# POST  /floatingips
# Intended scope(s): project
#"create_floatingip:floating_ip_address": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "create_floatingip:floating_ip_address":"rule:admin_only" has been
# deprecated since W in favor of
# "create_floatingip:floating_ip_address":"(rule:admin_only) or
# (role:manager and project_id:%(project_id)s)".
# The Floating IP API now supports system scope and default roles.

# Create the floating IP tags
# POST  /floatingips/{id}/tags
# Intended scope(s): project
#"create_floatingip:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_floatingips_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_floatingip:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_floatingips_tags": "rule:create_floatingip:tags"

# Get a floating IP
# GET  /floatingips
# GET  /floatingips/{id}
# Intended scope(s): project
#"get_floatingip": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_floatingip":"rule:admin_or_owner" has been deprecated since W
# in favor of "get_floatingip":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The Floating IP API now supports system scope and default roles.

# Get the floating IP tags
# GET  /floatingips/{id}/tags
# GET  /floatingips/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_floatingip:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_floatingips_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "get_floatingip:tags":"(rule:admin_only) or (role:reader
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_floatingips_tags": "rule:get_floatingip:tags"

# Update a floating IP
# PUT  /floatingips/{id}
# Intended scope(s): project
#"update_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_floatingip":"rule:admin_or_owner" has been deprecated since
# W in favor of "update_floatingip":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The Floating IP API now supports system scope and default roles.

# Update the floating IP tags
# PUT  /floatingips/{id}/tags
# PUT  /floatingips/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_floatingip:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_floatingips_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_floatingip:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_floatingips_tags": "rule:update_floatingip:tags"

# Delete a floating IP
# DELETE  /floatingips/{id}
# Intended scope(s): project
#"delete_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_floatingip":"rule:admin_or_owner" has been deprecated since
# W in favor of "delete_floatingip":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The Floating IP API now supports system scope and default roles.

# Delete the floating IP tags
# DELETE  /floatingips/{id}/tags
# DELETE  /floatingips/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_floatingips:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_floatingips_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_floatingips:tags":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_floatingips_tags": "rule:delete_floatingips:tags"

# Get floating IP pools
# GET  /floatingip_pools
# Intended scope(s): project
#"get_floatingip_pool": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_floatingip_pool":"rule:regular_user" has been deprecated since
# W in favor of "get_floatingip_pool":"(rule:admin_only) or
# (role:reader and project_id:%(project_id)s)".
# The Floating IP Pool API now supports system scope and default
# roles.

# Create a floating IP port forwarding
# POST  /floatingips/{floatingip_id}/port_forwardings
# Intended scope(s): project
#"create_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)"

# DEPRECATED
# "create_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "create_floatingip_port_forwarding":"(rule:admin_only) or
# (role:member and rule:ext_parent_owner)".
# The floating IP port forwarding API now supports system scope and
# default roles.

# Get a floating IP port forwarding
# GET  /floatingips/{floatingip_id}/port_forwardings
# GET  /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
# Intended scope(s): project
#"get_floatingip_port_forwarding": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "get_floatingip_port_forwarding":"(rule:admin_only) or (role:reader
# and rule:ext_parent_owner)".
# The floating IP port forwarding API now supports system scope and
# default roles.

# Update a floating IP port forwarding
# PUT  /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
# Intended scope(s): project
#"update_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)"

# DEPRECATED
# "update_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "update_floatingip_port_forwarding":"(rule:admin_only) or
# (role:member and rule:ext_parent_owner)".
# The floating IP port forwarding API now supports system scope and
# default roles.

# Delete a floating IP port forwarding
# DELETE  /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
# Intended scope(s): project
#"delete_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)"

# DEPRECATED
# "delete_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "delete_floatingip_port_forwarding":"(rule:admin_only) or
# (role:member and rule:ext_parent_owner)".
# The floating IP port forwarding API now supports system scope and
# default roles.

# Create a router conntrack helper
# POST  /routers/{router_id}/conntrack_helpers
# Intended scope(s): project
#"create_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "create_router_conntrack_helper":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "create_router_conntrack_helper":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s) or rule:ext_parent_owner".
# The router conntrack API now supports system scope and default
# roles.

# Get a router conntrack helper
# GET  /routers/{router_id}/conntrack_helpers
# GET  /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
# Intended scope(s): project
#"get_router_conntrack_helper": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "get_router_conntrack_helper":"rule:admin_or_ext_parent_owner" has
# been deprecated since W in favor of
# "get_router_conntrack_helper":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:ext_parent_owner".
# The router conntrack API now supports system scope and default
# roles.

# Update a router conntrack helper
# PUT  /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
# Intended scope(s): project
#"update_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "update_router_conntrack_helper":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "update_router_conntrack_helper":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s) or rule:ext_parent_owner".
# The router conntrack API now supports system scope and default
# roles.

# Delete a router conntrack helper
# DELETE  /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
# Intended scope(s): project
#"delete_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "delete_router_conntrack_helper":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "delete_router_conntrack_helper":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s) or rule:ext_parent_owner".
# The router conntrack API now supports system scope and default
# roles.

# Create a Local IP
# POST  /local-ips
# Intended scope(s): project
#"create_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_local_ip":"rule:regular_user" has been deprecated since W in
# favor of "create_local_ip":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The Local IP API now supports system scope and default roles.

# Get a Local IP
# GET  /local-ips
# GET  /local-ips/{id}
# Intended scope(s): project
#"get_local_ip": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_local_ip":"rule:admin_or_owner" has been deprecated since W in
# favor of "get_local_ip":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The Local IP API now supports system scope and default roles.

# Update a Local IP
# PUT  /local-ips/{id}
# Intended scope(s): project
#"update_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_local_ip":"rule:admin_or_owner" has been deprecated since W
# in favor of "update_local_ip":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The Local IP API now supports system scope and default roles.

# Delete a Local IP
# DELETE  /local-ips/{id}
# Intended scope(s): project
#"delete_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_local_ip":"rule:admin_or_owner" has been deprecated since W
# in favor of "delete_local_ip":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The Local IP API now supports system scope and default roles.

# Create a Local IP port association
# POST  /local_ips/{local_ip_id}/port_associations
# Intended scope(s): project
#"create_local_ip_port_association": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "create_local_ip_port_association":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "create_local_ip_port_association":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s) or
# rule:ext_parent_owner".
# The Local IP API now supports system scope and default roles.

# Get a Local IP port association
# GET  /local_ips/{local_ip_id}/port_associations
# GET  /local_ips/{local_ip_id}/port_associations/{fixed_port_id}
# Intended scope(s): project
#"get_local_ip_port_association": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "get_local_ip_port_association":"rule:admin_or_ext_parent_owner" has
# been deprecated since W in favor of
# "get_local_ip_port_association":"(rule:admin_only) or (role:reader
# and project_id:%(project_id)s) or rule:ext_parent_owner".
# The Local IP API now supports system scope and default roles.

# Delete a Local IP port association
# DELETE  /local_ips/{local_ip_id}/port_associations/{fixed_port_id}
# Intended scope(s): project
#"delete_local_ip_port_association": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"

# DEPRECATED
# "delete_local_ip_port_association":"rule:admin_or_ext_parent_owner"
# has been deprecated since W in favor of
# "delete_local_ip_port_association":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s) or
# rule:ext_parent_owner".
# The Local IP API now supports system scope and default roles.

# Get loggable resources
# GET  /log/loggable-resources
# Intended scope(s): project
#"get_loggable_resource": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "get_loggable_resource":"rule:admin_only" has been deprecated since
# W in favor of "get_loggable_resource":"(rule:admin_only) or
# (role:manager and project_id:%(project_id)s)".
# The logging API now supports project scope and default roles.

# Create a network log
# POST  /log/logs
# Intended scope(s): project
#"create_log": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "create_log":"rule:admin_only" has been deprecated since W in favor
# of "create_log":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The logging API now supports project scope and default roles.

# Get a network log
# GET  /log/logs
# GET  /log/logs/{id}
# Intended scope(s): project
#"get_log": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "get_log":"rule:admin_only" has been deprecated since W in favor of
# "get_log":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The logging API now supports project scope and default roles.

# Update a network log
# PUT  /log/logs/{id}
# Intended scope(s): project
#"update_log": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "update_log":"rule:admin_only" has been deprecated since W in favor
# of "update_log":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The logging API now supports project scope and default roles.

# Delete a network log
# DELETE  /log/logs/{id}
# Intended scope(s): project
#"delete_log": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "delete_log":"rule:admin_only" has been deprecated since W in favor
# of "delete_log":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The logging API now supports project scope and default roles.

# Create a metering label
# POST  /metering/metering-labels
# Intended scope(s): project
#"create_metering_label": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "create_metering_label":"rule:admin_only" has been deprecated since
# W in favor of "create_metering_label":"(rule:admin_only) or
# (role:manager and project_id:%(project_id)s)".
# The metering API now supports system scope and default roles.

# Get a metering label
# GET  /metering/metering-labels
# GET  /metering/metering-labels/{id}
# Intended scope(s): project
#"get_metering_label": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_metering_label":"rule:admin_only" has been deprecated since W
# in favor of "get_metering_label":"(rule:admin_only) or (role:reader
# and project_id:%(project_id)s)".
# The metering API now supports system scope and default roles.

# Delete a metering label
# DELETE  /metering/metering-labels/{id}
# Intended scope(s): project
#"delete_metering_label": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "delete_metering_label":"rule:admin_only" has been deprecated since
# W in favor of "delete_metering_label":"(rule:admin_only) or
# (role:manager and project_id:%(project_id)s)".
# The metering API now supports system scope and default roles.

# Create a metering label rule
# POST  /metering/metering-label-rules
# Intended scope(s): project
#"create_metering_label_rule": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "create_metering_label_rule":"rule:admin_only" has been deprecated
# since W in favor of "create_metering_label_rule":"(rule:admin_only)
# or (role:manager and project_id:%(project_id)s)".
# The metering API now supports system scope and default roles.

# Get a metering label rule
# GET  /metering/metering-label-rules
# GET  /metering/metering-label-rules/{id}
# Intended scope(s): project
#"get_metering_label_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_metering_label_rule":"rule:admin_only" has been deprecated
# since W in favor of "get_metering_label_rule":"(rule:admin_only) or
# (role:reader and project_id:%(project_id)s)".
# The metering API now supports system scope and default roles.

# Delete a metering label rule
# DELETE  /metering/metering-label-rules/{id}
# Intended scope(s): project
#"delete_metering_label_rule": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "delete_metering_label_rule":"rule:admin_only" has been deprecated
# since W in favor of "delete_metering_label_rule":"(rule:admin_only)
# or (role:manager and project_id:%(project_id)s)".
# The metering API now supports system scope and default roles.

# Create a ndp proxy
# POST  /ndp_proxies
# Intended scope(s): project
#"create_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_ndp_proxy":"rule:regular_user" has been deprecated since W
# in favor of "create_ndp_proxy":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The ndp proxy API now supports system scope and default roles.

# Get a ndp proxy
# GET  /ndp_proxies
# GET  /ndp_proxies/{id}
# Intended scope(s): project
#"get_ndp_proxy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_ndp_proxy":"rule:admin_or_owner" has been deprecated since W in
# favor of "get_ndp_proxy":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The ndp proxy API now supports system scope and default roles.

# Update a ndp proxy
# PUT  /ndp_proxies/{id}
# Intended scope(s): project
#"update_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_ndp_proxy":"rule:admin_or_owner" has been deprecated since W
# in favor of "update_ndp_proxy":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The ndp proxy API now supports system scope and default roles.

# Delete a ndp proxy
# DELETE  /ndp_proxies/{id}
# Intended scope(s): project
#"delete_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_ndp_proxy":"rule:admin_or_owner" has been deprecated since W
# in favor of "delete_ndp_proxy":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The ndp proxy API now supports system scope and default roles.

# Definition of an external network
#"external": "field:networks:router:external=True"

# Create a network
# POST  /networks
# Intended scope(s): project
#"create_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_network":"rule:regular_user" has been deprecated since W in
# favor of "create_network":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The network API now supports system scope and default roles.

# Create a shared network
# POST  /networks
# Intended scope(s): project
#"create_network:shared": "rule:admin_only"

# DEPRECATED
# "create_network:shared":"rule:admin_only" has been deprecated since
# W in favor of "create_network:shared":"rule:admin_only".
# The network API now supports system scope and default roles.

# Create an external network
# POST  /networks
# Intended scope(s): project
#"create_network:router:external": "rule:admin_only"

# DEPRECATED
# "create_network:router:external":"rule:admin_only" has been
# deprecated since W in favor of
# "create_network:router:external":"rule:admin_only".
# The network API now supports system scope and default roles.

# Specify ``is_default`` attribute when creating a network
# POST  /networks
# Intended scope(s): project
#"create_network:is_default": "rule:admin_only"

# DEPRECATED
# "create_network:is_default":"rule:admin_only" has been deprecated
# since W in favor of "create_network:is_default":"rule:admin_only".
# The network API now supports system scope and default roles.

# Specify ``port_security_enabled`` attribute when creating a network
# POST  /networks
# Intended scope(s): project
#"create_network:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_network:port_security_enabled":"rule:regular_user" has been
# deprecated since W in favor of
# "create_network:port_security_enabled":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The network API now supports system scope and default roles.

# Specify ``segments`` attribute when creating a network
# POST  /networks
# Intended scope(s): project
#"create_network:segments": "rule:admin_only"

# DEPRECATED
# "create_network:segments":"rule:admin_only" has been deprecated
# since W in favor of "create_network:segments":"rule:admin_only".
# The network API now supports system scope and default roles.

# Specify ``provider:network_type`` when creating a network
# POST  /networks
# Intended scope(s): project
#"create_network:provider:network_type": "rule:admin_only"

# DEPRECATED
# "create_network:provider:network_type":"rule:admin_only" has been
# deprecated since W in favor of
# "create_network:provider:network_type":"rule:admin_only".
# The network API now supports system scope and default roles.

# Specify ``provider:physical_network`` when creating a network
# POST  /networks
# Intended scope(s): project
#"create_network:provider:physical_network": "rule:admin_only"

# DEPRECATED
# "create_network:provider:physical_network":"rule:admin_only" has
# been deprecated since W in favor of
# "create_network:provider:physical_network":"rule:admin_only".
# The network API now supports system scope and default roles.

# Specify ``provider:segmentation_id`` when creating a network
# POST  /networks
# Intended scope(s): project
#"create_network:provider:segmentation_id": "rule:admin_only"

# DEPRECATED
# "create_network:provider:segmentation_id":"rule:admin_only" has been
# deprecated since W in favor of
# "create_network:provider:segmentation_id":"rule:admin_only".
# The network API now supports system scope and default roles.

# Create the network tags
# POST  /networks/{id}/tags
# Intended scope(s): project
#"create_network:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_networks_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_network:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_networks_tags": "rule:create_network:tags"

# Get a network
# GET  /networks
# GET  /networks/{id}
# Intended scope(s): project
#"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc"

# DEPRECATED
# "get_network":"rule:admin_or_owner or rule:shared or rule:external
# or rule:context_is_advsvc" has been deprecated since W in favor of
# "get_network":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:service_api or rule:shared or
# rule:external or rule:context_is_advsvc".
# The network API now supports system scope and default roles.

# Get ``segments`` attribute of a network
# GET  /networks
# GET  /networks/{id}
# Intended scope(s): project
#"get_network:segments": "rule:admin_only"

# DEPRECATED
# "get_network:segments":"rule:admin_only" has been deprecated since W
# in favor of "get_network:segments":"rule:admin_only".
# The network API now supports system scope and default roles.

# Get ``provider:network_type`` attribute of a network
# GET  /networks
# GET  /networks/{id}
# Intended scope(s): project
#"get_network:provider:network_type": "rule:admin_only"

# DEPRECATED
# "get_network:provider:network_type":"rule:admin_only" has been
# deprecated since W in favor of
# "get_network:provider:network_type":"rule:admin_only".
# The network API now supports system scope and default roles.

# Get ``provider:physical_network`` attribute of a network
# GET  /networks
# GET  /networks/{id}
# Intended scope(s): project
#"get_network:provider:physical_network": "rule:admin_only"

# DEPRECATED
# "get_network:provider:physical_network":"rule:admin_only" has been
# deprecated since W in favor of
# "get_network:provider:physical_network":"rule:admin_only".
# The network API now supports system scope and default roles.

# Get ``provider:segmentation_id`` attribute of a network
# GET  /networks
# GET  /networks/{id}
# Intended scope(s): project
#"get_network:provider:segmentation_id": "rule:admin_only"

# DEPRECATED
# "get_network:provider:segmentation_id":"rule:admin_only" has been
# deprecated since W in favor of
# "get_network:provider:segmentation_id":"rule:admin_only".
# The network API now supports system scope and default roles.

# Get the network tags
# GET  /networks/{id}/tags
# GET  /networks/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_network:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"

# DEPRECATED
# "get_networks_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "get_network:tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared or rule:external or
# rule:context_is_advsvc".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_networks_tags": "rule:get_network:tags"

# Update a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_network":"rule:admin_or_owner" has been deprecated since W
# in favor of "update_network":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The network API now supports system scope and default roles.

# Update ``segments`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:segments": "rule:admin_only"

# DEPRECATED
# "update_network:segments":"rule:admin_only" has been deprecated
# since W in favor of "update_network:segments":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``shared`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:shared": "rule:admin_only"

# DEPRECATED
# "update_network:shared":"rule:admin_only" has been deprecated since
# W in favor of "update_network:shared":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``provider:network_type`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:provider:network_type": "rule:admin_only"

# DEPRECATED
# "update_network:provider:network_type":"rule:admin_only" has been
# deprecated since W in favor of
# "update_network:provider:network_type":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``provider:physical_network`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:provider:physical_network": "rule:admin_only"

# DEPRECATED
# "update_network:provider:physical_network":"rule:admin_only" has
# been deprecated since W in favor of
# "update_network:provider:physical_network":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``provider:segmentation_id`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:provider:segmentation_id": "rule:admin_only"

# DEPRECATED
# "update_network:provider:segmentation_id":"rule:admin_only" has been
# deprecated since W in favor of
# "update_network:provider:segmentation_id":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``router:external`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:router:external": "rule:admin_only"

# DEPRECATED
# "update_network:router:external":"rule:admin_only" has been
# deprecated since W in favor of
# "update_network:router:external":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``is_default`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:is_default": "rule:admin_only"

# DEPRECATED
# "update_network:is_default":"rule:admin_only" has been deprecated
# since W in favor of "update_network:is_default":"rule:admin_only".
# The network API now supports system scope and default roles.

# Update ``port_security_enabled`` attribute of a network
# PUT  /networks/{id}
# Intended scope(s): project
#"update_network:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_network:port_security_enabled":"rule:admin_or_owner" has
# been deprecated since W in favor of
# "update_network:port_security_enabled":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The network API now supports system scope and default roles.

# Update the network tags
# PUT  /networks/{id}/tags
# PUT  /networks/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_network:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_networks_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_network:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_networks_tags": "rule:update_network:tags"

# Delete a network
# DELETE  /networks/{id}
# Intended scope(s): project
#"delete_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_network":"rule:admin_or_owner" has been deprecated since W
# in favor of "delete_network":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The network API now supports system scope and default roles.

# Delete the network tags
# DELETE  /networks/{id}/tags
# DELETE  /networks/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_network:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_networks_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_network:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_networks_tags": "rule:delete_network:tags"

# Get network IP availability
# GET  /network-ip-availabilities
# GET  /network-ip-availabilities/{network_id}
# Intended scope(s): project
#"get_network_ip_availability": "rule:admin_only"

# DEPRECATED
# "get_network_ip_availability":"rule:admin_only" has been deprecated
# since W in favor of "get_network_ip_availability":"rule:admin_only".
# The network IP availability API now support project scope and
# default roles.

# Create a network segment range
# POST  /network_segment_ranges
# Intended scope(s): project
#"create_network_segment_range": "rule:admin_only"

# DEPRECATED
# "create_network_segment_range":"rule:admin_only" has been deprecated
# since W in favor of
# "create_network_segment_range":"rule:admin_only".
# The network segment range API now supports project scope and default
# roles.

# Create the network segment range tags
# POST  /network_segment_ranges/{id}/tags
# Intended scope(s): project
#"create_network_segment_range:tags": "rule:admin_only"

# DEPRECATED
# "create_network_segment_ranges_tags":"rule:admin_only" has been
# deprecated since 2025.1 in favor of
# "create_network_segment_range:tags":"rule:admin_only".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_network_segment_ranges_tags": "rule:create_network_segment_range:tags"

# Get a network segment range
# GET  /network_segment_ranges
# GET  /network_segment_ranges/{id}
# Intended scope(s): project
#"get_network_segment_range": "rule:admin_only"

# DEPRECATED
# "get_network_segment_range":"rule:admin_only" has been deprecated
# since W in favor of "get_network_segment_range":"rule:admin_only".
# The network segment range API now supports project scope and default
# roles.

# Get the network segment range tags
# GET  /network_segment_ranges/{id}/tags
# GET  /network_segment_ranges/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_network_segment_range:tags": "rule:admin_only"

# DEPRECATED
# "get_network_segment_ranges_tags":"rule:admin_only" has been
# deprecated since 2025.1 in favor of
# "get_network_segment_range:tags":"rule:admin_only".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_network_segment_ranges_tags": "rule:get_network_segment_range:tags"

# Update a network segment range
# PUT  /network_segment_ranges/{id}
# Intended scope(s): project
#"update_network_segment_range": "rule:admin_only"

# DEPRECATED
# "update_network_segment_range":"rule:admin_only" has been deprecated
# since W in favor of
# "update_network_segment_range":"rule:admin_only".
# The network segment range API now supports project scope and default
# roles.

# Update the network segment range tags
# PUT  /network_segment_ranges/{id}/tags
# PUT  /network_segment_ranges/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_network_segment_range:tags": "rule:admin_only"

# DEPRECATED
# "update_network_segment_ranges_tags":"rule:admin_only" has been
# deprecated since 2025.1 in favor of
# "update_network_segment_range:tags":"rule:admin_only".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_network_segment_ranges_tags": "rule:update_network_segment_range:tags"

# Delete a network segment range
# DELETE  /network_segment_ranges/{id}
# Intended scope(s): project
#"delete_network_segment_range": "rule:admin_only"

# DEPRECATED
# "delete_network_segment_range":"rule:admin_only" has been deprecated
# since W in favor of
# "delete_network_segment_range":"rule:admin_only".
# The network segment range API now supports project scope and default
# roles.

# Delete the network segment range tags
# DELETE  /network_segment_ranges/{id}/tags
# DELETE  /network_segment_ranges/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_network_segment_range:tags": "rule:admin_only"

# DEPRECATED
# "delete_network_segment_ranges_tags":"rule:admin_only" has been
# deprecated since 2025.1 in favor of
# "delete_network_segment_range:tags":"rule:admin_only".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_network_segment_ranges_tags": "rule:delete_network_segment_range:tags"

# Get port binding information
# GET  /ports/{port_id}/bindings/
# Intended scope(s): project
#"get_port_binding": "(rule:admin_only) or (rule:service_api)"

# Create port binding on the host
# POST  /ports/{port_id}/bindings/
# Intended scope(s): project
#"create_port_binding": "rule:service_api"

# Delete port binding on the host
# DELETE  /ports/{port_id}/bindings/
# Intended scope(s): project
#"delete_port_binding": "rule:service_api"

# Activate port binding on the host
# PUT  /ports/{port_id}/bindings/{host}
# Intended scope(s): project
#"activate": "rule:service_api"

# Definition of port with network device_owner
#"network_device": "field:port:device_owner=~^network:"

# Rule for data plane integration
#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"

# Create a port
# POST  /ports
# Intended scope(s): project
#"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api"

# DEPRECATED
# "create_port":"rule:regular_user" has been deprecated since W in
# favor of "create_port":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s) or rule:service_api".
# The port API now supports project scope and default roles.

# Specify ``device_owner`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "create_port:device_owner":"not rule:network_device or
# rule:context_is_advsvc or rule:admin_or_network_owner" has been
# deprecated since W in favor of "create_port:device_owner":"not
# rule:network_device or (rule:admin_only) or (rule:service_api) or
# role:manager and project_id:%(project_id)s or role:member and
# rule:network_owner".
# The port API now supports project scope and default roles.

# Specify ``mac_address`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "create_port:mac_address":"rule:context_is_advsvc or
# rule:admin_or_network_owner" has been deprecated since W in favor of
# "create_port:mac_address":"(rule:admin_only) or (rule:service_api)
# or role:manager and project_id:%(project_id)s or role:member and
# rule:network_owner".
# The port API now supports project scope and default roles.

# Specify ``fixed_ips`` information when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared"

# DEPRECATED
# "create_port:fixed_ips":"rule:context_is_advsvc or
# rule:admin_or_network_owner or rule:shared" has been deprecated
# since W in favor of "create_port:fixed_ips":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner or rule:shared".
# The port API now supports project scope and default roles.

# Specify IP address in ``fixed_ips`` when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or
# rule:admin_or_network_owner" has been deprecated since W in favor of
# "create_port:fixed_ips:ip_address":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner".
# The port API now supports project scope and default roles.

# Specify subnet ID in ``fixed_ips`` when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared"

# DEPRECATED
# "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or
# rule:admin_or_network_owner or rule:shared" has been deprecated
# since W in favor of
# "create_port:fixed_ips:subnet_id":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner or rule:shared".
# The port API now supports project scope and default roles.

# Specify ``port_security_enabled`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "create_port:port_security_enabled":"rule:context_is_advsvc or
# rule:admin_or_network_owner" has been deprecated since W in favor of
# "create_port:port_security_enabled":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner".
# The port API now supports project scope and default roles.

# Specify ``binding:host_id`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"

# DEPRECATED
# "create_port:binding:host_id":"rule:admin_only" has been deprecated
# since W in favor of "create_port:binding:host_id":"(rule:admin_only)
# or (rule:service_api)".
# The port API now supports project scope and default roles.

# Specify ``binding:profile`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:binding:profile": "rule:service_api"

# DEPRECATED
# "create_port:binding:profile":"rule:admin_only" has been deprecated
# since W in favor of
# "create_port:binding:profile":"rule:service_api".
# The port API now supports project scope and default roles.

# Specify ``binding:vnic_type`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api"

# DEPRECATED
# "create_port:binding:vnic_type":"rule:regular_user" has been
# deprecated since W in favor of
# "create_port:binding:vnic_type":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s) or rule:service_api".
# The port API now supports project scope and default roles.

# Specify ``allowed_address_pairs`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:allowed_address_pairs": "(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "create_port:allowed_address_pairs":"rule:admin_or_network_owner"
# has been deprecated since W in favor of
# "create_port:allowed_address_pairs":"(rule:admin_only) or
# (role:member and rule:network_owner) or role:manager and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Specify ``mac_address` of `allowed_address_pairs`` attribute when
# creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:allowed_address_pairs:mac_address": "(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "create_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo
# rk_owner" has been deprecated since W in favor of
# "create_port:allowed_address_pairs:mac_address":"(rule:admin_only)
# or (role:member and rule:network_owner) or role:manager and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when
# creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:allowed_address_pairs:ip_address": "(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "create_port:allowed_address_pairs:ip_address":"rule:admin_or_networ
# k_owner" has been deprecated since W in favor of
# "create_port:allowed_address_pairs:ip_address":"(rule:admin_only) or
# (role:member and rule:network_owner) or role:manager and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Specify ``hints`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:hints": "rule:admin_only"

# Specify ``trusted`` attribute when creating a port
# POST  /ports
# Intended scope(s): project
#"create_port:trusted": "rule:admin_only"

# Create the port tags
# POST  /ports/{id}/tags
# Intended scope(s): project
#"create_port:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"

# DEPRECATED
# "create_ports_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s) or rule:context_is_advsvc" has been
# deprecated since 2025.1 in favor of
# "create_port:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s) or rule:context_is_advsvc".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_ports_tags": "rule:create_port:tags"

# Get a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port": "(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s"

# DEPRECATED
# "get_port":"rule:context_is_advsvc or
# rule:admin_owner_or_network_owner" has been deprecated since W in
# favor of "get_port":"(rule:admin_only) or (rule:service_api) or
# role:reader and rule:network_owner or role:reader and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Get ``binding:vif_type`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:binding:vif_type": "(rule:admin_only) or (rule:service_api)"

# DEPRECATED
# "get_port:binding:vif_type":"rule:admin_only" has been deprecated
# since W in favor of "get_port:binding:vif_type":"(rule:admin_only)
# or (rule:service_api)".
# The port API now supports project scope and default roles.

# Get ``binding:vif_details`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:binding:vif_details": "(rule:admin_only) or (rule:service_api)"

# DEPRECATED
# "get_port:binding:vif_details":"rule:admin_only" has been deprecated
# since W in favor of
# "get_port:binding:vif_details":"(rule:admin_only) or
# (rule:service_api)".
# The port API now supports project scope and default roles.

# Get ``binding:host_id`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"

# DEPRECATED
# "get_port:binding:host_id":"rule:admin_only" has been deprecated
# since W in favor of "get_port:binding:host_id":"(rule:admin_only) or
# (rule:service_api)".
# The port API now supports project scope and default roles.

# Get ``binding:profile`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:binding:profile": "(rule:admin_only) or (rule:service_api)"

# DEPRECATED
# "get_port:binding:profile":"rule:admin_only" has been deprecated
# since W in favor of "get_port:binding:profile":"(rule:admin_only) or
# (rule:service_api)".
# The port API now supports project scope and default roles.

# Get ``resource_request`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:resource_request": "rule:admin_only"

# DEPRECATED
# "get_port:resource_request":"rule:admin_only" has been deprecated
# since W in favor of "get_port:resource_request":"rule:admin_only".
# The port API now supports project scope and default roles.

# Get ``hints`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:hints": "rule:admin_only"

# Get ``trusted`` attribute of a port
# GET  /ports
# GET  /ports/{id}
# Intended scope(s): project
#"get_port:trusted": "rule:admin_only"

# Get the port tags
# GET  /ports/{id}/tags
# GET  /ports/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_port:tags": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s"

# DEPRECATED
# "get_ports_tags":"rule:context_is_advsvc or (rule:admin_only) or
# (role:reader and rule:network_owner) or role:reader and
# project_id:%(project_id)s" has been deprecated since 2025.1 in favor
# of "get_port:tags":"rule:context_is_advsvc or (rule:admin_only) or
# (role:reader and rule:network_owner) or role:reader and
# project_id:%(project_id)s".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_ports_tags": "rule:get_port:tags"

# Update a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s"

# DEPRECATED
# "update_port":"rule:admin_or_owner or rule:context_is_advsvc" has
# been deprecated since W in favor of "update_port":"(rule:admin_only)
# or (rule:service_api) or role:member and project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Update ``device_owner`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "update_port:device_owner":"not rule:network_device or
# rule:context_is_advsvc or rule:admin_or_network_owner" has been
# deprecated since W in favor of "update_port:device_owner":"not
# rule:network_device or (rule:admin_only) or (rule:service_api) or
# role:manager and project_id:%(project_id)s or role:member and
# rule:network_owner".
# The port API now supports project scope and default roles.

# Update ``mac_address`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "update_port:mac_address":"rule:admin_only or
# rule:context_is_advsvc" has been deprecated since W in favor of
# "update_port:mac_address":"(rule:admin_only) or (rule:service_api)
# or role:manager and project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Specify ``fixed_ips`` information when updating a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "update_port:fixed_ips":"rule:context_is_advsvc or
# rule:admin_or_network_owner" has been deprecated since W in favor of
# "update_port:fixed_ips":"(rule:admin_only) or (rule:service_api) or
# role:manager and project_id:%(project_id)s or role:member and
# rule:network_owner".
# The port API now supports project scope and default roles.

# Specify IP address in ``fixed_ips`` information when updating a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or
# rule:admin_or_network_owner" has been deprecated since W in favor of
# "update_port:fixed_ips:ip_address":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner".
# The port API now supports project scope and default roles.

# Specify subnet ID in ``fixed_ips`` information when updating a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared"

# DEPRECATED
# "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or
# rule:admin_or_network_owner or rule:shared" has been deprecated
# since W in favor of
# "update_port:fixed_ips:subnet_id":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner or rule:shared".
# The port API now supports project scope and default roles.

# Update ``port_security_enabled`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner"

# DEPRECATED
# "update_port:port_security_enabled":"rule:context_is_advsvc or
# rule:admin_or_network_owner" has been deprecated since W in favor of
# "update_port:port_security_enabled":"(rule:admin_only) or
# (rule:service_api) or role:manager and project_id:%(project_id)s or
# role:member and rule:network_owner".
# The port API now supports project scope and default roles.

# Update ``binding:host_id`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"

# DEPRECATED
# "update_port:binding:host_id":"rule:admin_only" has been deprecated
# since W in favor of "update_port:binding:host_id":"(rule:admin_only)
# or (rule:service_api)".
# The port API now supports project scope and default roles.

# Update ``binding:profile`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:binding:profile": "rule:service_api"

# DEPRECATED
# "update_port:binding:profile":"rule:admin_only" has been deprecated
# since W in favor of
# "update_port:binding:profile":"rule:service_api".
# The port API now supports project scope and default roles.

# Update ``binding:vnic_type`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:binding:vnic_type": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s"

# DEPRECATED
# "update_port:binding:vnic_type":"rule:admin_or_owner or
# rule:context_is_advsvc" has been deprecated since W in favor of
# "update_port:binding:vnic_type":"(rule:admin_only) or
# (rule:service_api) or role:member and project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Update ``allowed_address_pairs`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:allowed_address_pairs": "(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "update_port:allowed_address_pairs":"rule:admin_or_network_owner"
# has been deprecated since W in favor of
# "update_port:allowed_address_pairs":"(rule:admin_only) or
# (role:member and rule:network_owner) or role:manager and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a
# port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:allowed_address_pairs:mac_address": "(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "update_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo
# rk_owner" has been deprecated since W in favor of
# "update_port:allowed_address_pairs:mac_address":"(rule:admin_only)
# or (role:member and rule:network_owner) or role:manager and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a
# port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:allowed_address_pairs:ip_address": "(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s"

# DEPRECATED
# "update_port:allowed_address_pairs:ip_address":"rule:admin_or_networ
# k_owner" has been deprecated since W in favor of
# "update_port:allowed_address_pairs:ip_address":"(rule:admin_only) or
# (role:member and rule:network_owner) or role:manager and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Update ``data_plane_status`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:data_plane_status": "rule:admin_only or role:data_plane_integrator"

# DEPRECATED
# "update_port:data_plane_status":"rule:admin_or_data_plane_int" has
# been deprecated since W in favor of
# "update_port:data_plane_status":"rule:admin_only or
# role:data_plane_integrator".
# The port API now supports project scope and default roles.

# Update ``hints`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:hints": "rule:admin_only"

# Update ``trusted`` attribute of a port
# PUT  /ports/{id}
# Intended scope(s): project
#"update_port:trusted": "rule:admin_only"

# Update the port tags
# PUT  /ports/{id}/tags
# PUT  /ports/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_port:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"

# DEPRECATED
# "update_ports_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s) or rule:context_is_advsvc" has been
# deprecated since 2025.1 in favor of
# "update_port:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s) or rule:context_is_advsvc".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_ports_tags": "rule:update_port:tags"

# Delete a port
# DELETE  /ports/{id}
# Intended scope(s): project
#"delete_port": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s"

# DEPRECATED
# "delete_port":"rule:context_is_advsvc or
# rule:admin_owner_or_network_owner" has been deprecated since W in
# favor of "delete_port":"(rule:admin_only) or (rule:service_api) or
# role:member and rule:network_owner or role:member and
# project_id:%(project_id)s".
# The port API now supports project scope and default roles.

# Delete the port tags
# DELETE  /ports/{id}/tags
# DELETE  /ports/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_port:tags": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "delete_ports_tags":"rule:context_is_advsvc or role:member and
# project_id:%(project_id)s or (rule:admin_only) or (role:member and
# rule:network_owner)" has been deprecated since 2025.1 in favor of
# "delete_port:tags":"rule:context_is_advsvc or role:member and
# project_id:%(project_id)s or (rule:admin_only) or (role:member and
# rule:network_owner)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_ports_tags": "rule:delete_port:tags"

# Rule of shared qos policy
#"shared_qos_policy": "field:policies:shared=True"

# Get QoS policies
# GET  /qos/policies
# GET  /qos/policies/{id}
# Intended scope(s): project
#"get_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy"

# DEPRECATED
# "get_policy":"rule:regular_user" has been deprecated since W in
# favor of "get_policy":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_qos_policy".
# The QoS API now supports project scope and default roles.

# Get QoS policy tags
# GET  /qos/policies/{id}/tags
# GET  /qos/policies/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_policy:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy"

# DEPRECATED
# "get_policies_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_qos_policy" has been
# deprecated since 2025.1 in favor of
# "get_policy:tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_qos_policy".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_policies_tags": "rule:get_policy:tags"

# Create a QoS policy
# POST  /qos/policies
# Intended scope(s): project
#"create_policy": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "create_policy":"rule:admin_only" has been deprecated since W in
# favor of "create_policy":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The QoS API now supports project scope and default roles.

# Create the QoS policy tags
# POST  /qos/policies/{id}/tags
# Intended scope(s): project
#"create_policy:tags": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "create_policies_tags":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_policy:tags":"(rule:admin_only) or (role:manager
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_policies_tags": "rule:create_policy:tags"

# Update a QoS policy
# PUT  /qos/policies/{id}
# Intended scope(s): project
#"update_policy": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "update_policy":"rule:admin_only" has been deprecated since W in
# favor of "update_policy":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The QoS API now supports project scope and default roles.

# Update the QoS policy tags
# PUT  /qos/policies/{id}/tags
# PUT  /qos/policies/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_policy:tags": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "update_policies_tags":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_policy:tags":"(rule:admin_only) or (role:manager
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_policies_tags": "rule:update_policy:tags"

# Delete a QoS policy
# DELETE  /qos/policies/{id}
# Intended scope(s): project
#"delete_policy": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "delete_policy":"rule:admin_only" has been deprecated since W in
# favor of "delete_policy":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The QoS API now supports project scope and default roles.

# Delete the QoS policy tags
# DELETE  /qos/policies/{id}/tags
# DELETE  /qos/policies/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_policy:tags": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "delete_policies_tags":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_policy:tags":"(rule:admin_only) or (role:manager
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_policies_tags": "rule:delete_policy:tags"

# Get available QoS rule types
# GET  /qos/rule-types
# GET  /qos/rule-types/{rule_type}
# Intended scope(s): project
#"get_rule_type": "role:reader"

# DEPRECATED
# "get_rule_type":"rule:regular_user" has been deprecated since W in
# favor of "get_rule_type":"role:reader".
# The QoS API now supports project scope and default roles.

# Get a QoS bandwidth limit rule
# GET  /qos/policies/{policy_id}/bandwidth_limit_rules
# GET  /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
# Intended scope(s): project
#"get_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_policy_bandwidth_limit_rule":"rule:regular_user" has been
# deprecated since W in favor of
# "get_policy_bandwidth_limit_rule":"(rule:admin_only) or (role:reader
# and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Create a QoS bandwidth limit rule
# POST  /qos/policies/{policy_id}/bandwidth_limit_rules
# Intended scope(s): project
#"create_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "create_policy_bandwidth_limit_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "create_policy_bandwidth_limit_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Update a QoS bandwidth limit rule
# PUT  /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
# Intended scope(s): project
#"update_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "update_policy_bandwidth_limit_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "update_policy_bandwidth_limit_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Delete a QoS bandwidth limit rule
# DELETE  /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
# Intended scope(s): project
#"delete_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "delete_policy_bandwidth_limit_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_policy_bandwidth_limit_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Get a QoS packet rate limit rule
# GET  /qos/policies/{policy_id}/packet_rate_limit_rules
# GET  /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
# Intended scope(s): project
#"get_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# Create a QoS packet rate limit rule
# POST  /qos/policies/{policy_id}/packet_rate_limit_rules
# Intended scope(s): project
#"create_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# Update a QoS packet rate limit rule
# PUT  /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
# Intended scope(s): project
#"update_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# Delete a QoS packet rate limit rule
# DELETE  /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
# Intended scope(s): project
#"delete_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# Get a QoS DSCP marking rule
# GET  /qos/policies/{policy_id}/dscp_marking_rules
# GET  /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
# Intended scope(s): project
#"get_policy_dscp_marking_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_policy_dscp_marking_rule":"rule:regular_user" has been
# deprecated since W in favor of
# "get_policy_dscp_marking_rule":"(rule:admin_only) or (role:reader
# and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Create a QoS DSCP marking rule
# POST  /qos/policies/{policy_id}/dscp_marking_rules
# Intended scope(s): project
#"create_policy_dscp_marking_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "create_policy_dscp_marking_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "create_policy_dscp_marking_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Update a QoS DSCP marking rule
# PUT  /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
# Intended scope(s): project
#"update_policy_dscp_marking_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "update_policy_dscp_marking_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "update_policy_dscp_marking_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Delete a QoS DSCP marking rule
# DELETE  /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
# Intended scope(s): project
#"delete_policy_dscp_marking_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "delete_policy_dscp_marking_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_policy_dscp_marking_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Get a QoS minimum bandwidth rule
# GET  /qos/policies/{policy_id}/minimum_bandwidth_rules
# GET  /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
# Intended scope(s): project
#"get_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_policy_minimum_bandwidth_rule":"rule:regular_user" has been
# deprecated since W in favor of
# "get_policy_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:reader and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Create a QoS minimum bandwidth rule
# POST  /qos/policies/{policy_id}/minimum_bandwidth_rules
# Intended scope(s): project
#"create_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "create_policy_minimum_bandwidth_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "create_policy_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Update a QoS minimum bandwidth rule
# PUT  /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
# Intended scope(s): project
#"update_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "update_policy_minimum_bandwidth_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "update_policy_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Delete a QoS minimum bandwidth rule
# DELETE  /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
# Intended scope(s): project
#"delete_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "delete_policy_minimum_bandwidth_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_policy_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Get a QoS minimum packet rate rule
# GET  /qos/policies/{policy_id}/minimum_packet_rate_rules
# GET  /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
# Intended scope(s): project
#"get_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# Create a QoS minimum packet rate rule
# POST  /qos/policies/{policy_id}/minimum_packet_rate_rules
# Intended scope(s): project
#"create_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# Update a QoS minimum packet rate rule
# PUT  /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
# Intended scope(s): project
#"update_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# Delete a QoS minimum packet rate rule
# DELETE  /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
# Intended scope(s): project
#"delete_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# Get a QoS bandwidth limit rule through alias
# GET  /qos/alias_bandwidth_limit_rules/{rule_id}/
# Intended scope(s): project
#"get_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_alias_bandwidth_limit_rule":"rule:regular_user" has been
# deprecated since W in favor of
# "get_alias_bandwidth_limit_rule":"(rule:admin_only) or (role:reader
# and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Update a QoS bandwidth limit rule through alias
# PUT  /qos/alias_bandwidth_limit_rules/{rule_id}/
# Intended scope(s): project
#"update_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "update_alias_bandwidth_limit_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "update_alias_bandwidth_limit_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Delete a QoS bandwidth limit rule through alias
# DELETE  /qos/alias_bandwidth_limit_rules/{rule_id}/
# Intended scope(s): project
#"delete_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "delete_alias_bandwidth_limit_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_alias_bandwidth_limit_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Get a QoS DSCP marking rule through alias
# GET  /qos/alias_dscp_marking_rules/{rule_id}/
# Intended scope(s): project
#"get_alias_dscp_marking_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_alias_dscp_marking_rule":"rule:regular_user" has been
# deprecated since W in favor of
# "get_alias_dscp_marking_rule":"(rule:admin_only) or (role:reader and
# rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Update a QoS DSCP marking rule through alias
# PUT  /qos/alias_dscp_marking_rules/{rule_id}/
# Intended scope(s): project
#"update_alias_dscp_marking_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "update_alias_dscp_marking_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "update_alias_dscp_marking_rule":"(rule:admin_only) or (role:manager
# and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Delete a QoS DSCP marking rule through alias
# DELETE  /qos/alias_dscp_marking_rules/{rule_id}/
# Intended scope(s): project
#"delete_alias_dscp_marking_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "delete_alias_dscp_marking_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_alias_dscp_marking_rule":"(rule:admin_only) or (role:manager
# and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Get a QoS minimum bandwidth rule through alias
# GET  /qos/alias_minimum_bandwidth_rules/{rule_id}/
# Intended scope(s): project
#"get_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)"

# DEPRECATED
# "get_alias_minimum_bandwidth_rule":"rule:regular_user" has been
# deprecated since W in favor of
# "get_alias_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:reader and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Update a QoS minimum bandwidth rule through alias
# PUT  /qos/alias_minimum_bandwidth_rules/{rule_id}/
# Intended scope(s): project
#"update_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "update_alias_minimum_bandwidth_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "update_alias_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Delete a QoS minimum bandwidth rule through alias
# DELETE  /qos/alias_minimum_bandwidth_rules/{rule_id}/
# Intended scope(s): project
#"delete_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:manager and rule:ext_parent_owner)"

# DEPRECATED
# "delete_alias_minimum_bandwidth_rule":"rule:admin_only" has been
# deprecated since W in favor of
# "delete_alias_minimum_bandwidth_rule":"(rule:admin_only) or
# (role:manager and rule:ext_parent_owner)".
# The QoS API now supports project scope and default roles.

# Get a QoS minimum packet rate rule through alias
# GET  /qos/alias_minimum_packet_rate_rules/{rule_id}/
# Intended scope(s): project
#"get_alias_minimum_packet_rate_rule": "rule:get_policy_minimum_packet_rate_rule"

# Update a QoS minimum packet rate rule through alias
# PUT  /qos/alias_minimum_packet_rate_rules/{rule_id}/
# Intended scope(s): project
#"update_alias_minimum_packet_rate_rule": "rule:update_policy_minimum_packet_rate_rule"

# Delete a QoS minimum packet rate rule through alias
# DELETE  /qos/alias_minimum_packet_rate_rules/{rule_id}/
# Intended scope(s): project
#"delete_alias_minimum_packet_rate_rule": "rule:delete_policy_minimum_packet_rate_rule"

# Get a resource quota
# GET  /quota
# GET  /quota/{id}
# Intended scope(s): project
#"get_quota": "(rule:admin_only) or (role:manager and project_id:%(project_id)s)"

# DEPRECATED
# "get_quota":"rule:admin_only" has been deprecated since W in favor
# of "get_quota":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)".
# The quotas API now supports project scope and default roles.

# Update a resource quota
# PUT  /quota/{id}
# Intended scope(s): project
#"update_quota": "rule:admin_only"

# DEPRECATED
# "update_quota":"rule:admin_only" has been deprecated since W in
# favor of "update_quota":"rule:admin_only".
# The quotas API now supports project scope and default roles.

# Delete a resource quota
# DELETE  /quota/{id}
# Intended scope(s): project
#"delete_quota": "rule:admin_only"

# DEPRECATED
# "delete_quota":"rule:admin_only" has been deprecated since W in
# favor of "delete_quota":"rule:admin_only".
# The quotas API now supports project scope and default roles.

# Definition of a wildcard target_project
#"restrict_wildcard": "(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only"

# Create an RBAC policy
# POST  /rbac-policies
# Intended scope(s): project
#"create_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_rbac_policy":"rule:regular_user" has been deprecated since W
# in favor of "create_rbac_policy":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The RBAC API now supports system scope and default roles.

# DEPRECATED
# "create_rbac_policy:target_tenant" has been deprecated since 2025.1.
# Replaced by "create_rbac_policy:target_project
# Specify ``target_tenant`` when creating an RBAC policy
# POST  /rbac-policies
# Intended scope(s): project
#"create_rbac_policy:target_tenant": "rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)"

# Specify ``target_project`` when creating an RBAC policy
# POST  /rbac-policies
# Intended scope(s): project
#"create_rbac_policy:target_project": "rule:admin_only or not field:rbac_policy:target_project=*"

# Update an RBAC policy
# PUT  /rbac-policies/{id}
# Intended scope(s): project
#"update_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_rbac_policy":"rule:admin_or_owner" has been deprecated since
# W in favor of "update_rbac_policy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The RBAC API now supports system scope and default roles.

# DEPRECATED
# "update_rbac_policy:target_tenant" has been deprecated since 2025.1.
# Replaced by "update_rbac_policy:target_project
# Update ``target_tenant`` attribute of an RBAC policy
# PUT  /rbac-policies/{id}
# Intended scope(s): project
#"update_rbac_policy:target_tenant": "rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)"

# Update ``target_project`` attribute of an RBAC policy
# PUT  /rbac-policies/{id}
# Intended scope(s): project
#"update_rbac_policy:target_project": "rule:admin_only or not field:rbac_policy:target_project=*"

# Get an RBAC policy
# GET  /rbac-policies
# GET  /rbac-policies/{id}
# Intended scope(s): project
#"get_rbac_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_rbac_policy":"rule:admin_or_owner" has been deprecated since W
# in favor of "get_rbac_policy":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The RBAC API now supports system scope and default roles.

# Delete an RBAC policy
# DELETE  /rbac-policies/{id}
# Intended scope(s): project
#"delete_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_rbac_policy":"rule:admin_or_owner" has been deprecated since
# W in favor of "delete_rbac_policy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The RBAC API now supports system scope and default roles.

# Create a router
# POST  /routers
# Intended scope(s): project
#"create_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_router":"rule:regular_user" has been deprecated since W in
# favor of "create_router":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Specify ``distributed`` attribute when creating a router
# POST  /routers
# Intended scope(s): project
#"create_router:distributed": "rule:admin_only"

# DEPRECATED
# "create_router:distributed":"rule:admin_only" has been deprecated
# since W in favor of "create_router:distributed":"rule:admin_only".
# The router API now supports system scope and default roles.

# Specify ``ha`` attribute when creating a router
# POST  /routers
# Intended scope(s): project
#"create_router:ha": "rule:admin_only"

# DEPRECATED
# "create_router:ha":"rule:admin_only" has been deprecated since W in
# favor of "create_router:ha":"rule:admin_only".
# The router API now supports system scope and default roles.

# Specify ``external_gateway_info`` information when creating a router
# POST  /routers
# Intended scope(s): project
#"create_router:external_gateway_info": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_router:external_gateway_info":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "create_router:external_gateway_info":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Specify ``network_id`` in ``external_gateway_info`` information when
# creating a router
# POST  /routers
# Intended scope(s): project
#"create_router:external_gateway_info:network_id": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_router:external_gateway_info:network_id":"rule:admin_or_owne
# r" has been deprecated since W in favor of
# "create_router:external_gateway_info:network_id":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Specify ``enable_snat`` in ``external_gateway_info`` information
# when creating a router
# POST  /routers
# Intended scope(s): project
#"create_router:external_gateway_info:enable_snat": "rule:admin_only"

# DEPRECATED
# "create_router:external_gateway_info:enable_snat":"rule:admin_only"
# has been deprecated since W in favor of
# "create_router:external_gateway_info:enable_snat":"rule:admin_only".
# The router API now supports system scope and default roles.

# Specify ``external_fixed_ips`` in ``external_gateway_info``
# information when creating a router
# POST  /routers
# Intended scope(s): project
#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"

# DEPRECATED
# "create_router:external_gateway_info:external_fixed_ips":"rule:admin
# _only" has been deprecated since W in favor of "create_router:extern
# al_gateway_info:external_fixed_ips":"rule:admin_only".
# The router API now supports system scope and default roles.

# Specify ``enable_default_route_bfd`` attribute when creating a
# router
# POST  /routers
# Intended scope(s): project
#"create_router:enable_default_route_bfd": "rule:admin_only"

# Specify ``enable_default_route_ecmp`` attribute when creating a
# router
# POST  /routers
# Intended scope(s): project
#"create_router:enable_default_route_ecmp": "rule:admin_only"

# Create the router tags
# POST  /routers/{id}/tags
# Intended scope(s): project
#"create_router:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_routers_tags":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_router:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_routers_tags": "rule:create_router:tags"

# Get a router
# GET  /routers
# GET  /routers/{id}
# Intended scope(s): project
#"get_router": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_router":"rule:admin_or_owner" has been deprecated since W in
# favor of "get_router":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Get ``distributed`` attribute of a router
# GET  /routers
# GET  /routers/{id}
# Intended scope(s): project
#"get_router:distributed": "rule:admin_only"

# DEPRECATED
# "get_router:distributed":"rule:admin_only" has been deprecated since
# W in favor of "get_router:distributed":"rule:admin_only".
# The router API now supports system scope and default roles.

# Get ``ha`` attribute of a router
# GET  /routers
# GET  /routers/{id}
# Intended scope(s): project
#"get_router:ha": "rule:admin_only"

# DEPRECATED
# "get_router:ha":"rule:admin_only" has been deprecated since W in
# favor of "get_router:ha":"rule:admin_only".
# The router API now supports system scope and default roles.

# Get the router tags
# GET  /routers/{id}/tags
# GET  /routers/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_router:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_routers_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "get_router:tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_routers_tags": "rule:get_router:tags"

# Update a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_router":"rule:admin_or_owner" has been deprecated since W in
# favor of "update_router":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Update ``distributed`` attribute of a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router:distributed": "rule:admin_only"

# DEPRECATED
# "update_router:distributed":"rule:admin_only" has been deprecated
# since W in favor of "update_router:distributed":"rule:admin_only".
# The router API now supports system scope and default roles.

# Update ``ha`` attribute of a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router:ha": "rule:admin_only"

# DEPRECATED
# "update_router:ha":"rule:admin_only" has been deprecated since W in
# favor of "update_router:ha":"rule:admin_only".
# The router API now supports system scope and default roles.

# Update ``external_gateway_info`` information of a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router:external_gateway_info": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_router:external_gateway_info":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "update_router:external_gateway_info":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Update ``network_id`` attribute of ``external_gateway_info``
# information of a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router:external_gateway_info:network_id": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_router:external_gateway_info:network_id":"rule:admin_or_owne
# r" has been deprecated since W in favor of
# "update_router:external_gateway_info:network_id":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Update ``enable_snat`` attribute of ``external_gateway_info``
# information of a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router:external_gateway_info:enable_snat": "rule:admin_only"

# DEPRECATED
# "update_router:external_gateway_info:enable_snat":"rule:admin_only"
# has been deprecated since W in favor of
# "update_router:external_gateway_info:enable_snat":"rule:admin_only".
# The router API now supports system scope and default roles.

# Update ``external_fixed_ips`` attribute of ``external_gateway_info``
# information of a router
# PUT  /routers/{id}
# Intended scope(s): project
#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"

# DEPRECATED
# "update_router:external_gateway_info:external_fixed_ips":"rule:admin
# _only" has been deprecated since W in favor of "update_router:extern
# al_gateway_info:external_fixed_ips":"rule:admin_only".
# The router API now supports system scope and default roles.

# Specify ``enable_default_route_bfd`` attribute when updating a
# router
# POST  /routers
# Intended scope(s): project
#"update_router:enable_default_route_bfd": "rule:admin_only"

# Specify ``enable_default_route_ecmp`` attribute when updating a
# router
# POST  /routers
# Intended scope(s): project
#"update_router:enable_default_route_ecmp": "rule:admin_only"

# Update the router tags
# PUT  /routers/{id}/tags
# PUT  /routers/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_router:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_routers_tags":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_router:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_routers_tags": "rule:update_router:tags"

# Delete a router
# DELETE  /routers/{id}
# Intended scope(s): project
#"delete_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_router":"rule:admin_or_owner" has been deprecated since W in
# favor of "delete_router":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Delete the router tags
# DELETE  /routers/{id}/tags
# DELETE  /routers/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_router:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_routers_tags":"(rule:admin_only) or (role:manager and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_router:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_routers_tags": "rule:delete_router:tags"

# Add an interface to a router
# PUT  /routers/{id}/add_router_interface
# Intended scope(s): project
#"add_router_interface": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "add_router_interface":"rule:admin_or_owner" has been deprecated
# since W in favor of "add_router_interface":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Remove an interface from a router
# PUT  /routers/{id}/remove_router_interface
# Intended scope(s): project
#"remove_router_interface": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "remove_router_interface":"rule:admin_or_owner" has been deprecated
# since W in favor of "remove_router_interface":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Add extra route to a router
# PUT  /routers/{id}/add_extraroutes
# Intended scope(s): project
#"add_extraroutes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "add_extraroutes":"rule:admin_or_owner" has been deprecated since
# Xena in favor of "add_extraroutes":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Remove extra route from a router
# PUT  /routers/{id}/remove_extraroutes
# Intended scope(s): project
#"remove_extraroutes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "remove_extraroutes":"rule:admin_or_owner" has been deprecated since
# Xena in favor of "remove_extraroutes":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The router API now supports system scope and default roles.

# Rule for admin or security group owner access
#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"

# Rule for resource owner, admin or security group owner access
#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner"

# Definition of a shared security group
#"shared_security_group": "field:security_groups:shared=True"

# Definition of a security group rule that belongs to the project
# default security group
#"rule_default_sg": "field:security_group_rules:belongs_to_default_sg=True"

# Create a security group
# POST  /security-groups
# Intended scope(s): project
#"create_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_security_group":"rule:admin_or_owner" has been deprecated
# since W in favor of "create_security_group":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The security group API now supports system scope and default roles.

# Create the security group tags
# POST  /security-groups/{id}/tags
# Intended scope(s): project
#"create_security_group:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_security_groups_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_security_group:tags":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_security_groups_tags": "rule:create_security_group:tags"

# Get a security group
# GET  /security-groups
# GET  /security-groups/{id}
# Intended scope(s): project
#"get_security_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group"

# DEPRECATED
# "get_security_group":"rule:regular_user" has been deprecated since W
# in favor of "get_security_group":"(rule:admin_only) or (role:reader
# and project_id:%(project_id)s) or rule:shared_security_group".
# The security group API now supports system scope and default roles.

# Get the security group tags
# GET  /security-groups/{id}/tags
# GET  /security-groups/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_security_group:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group"

# DEPRECATED
# "get_security_groups_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_security_group" has been
# deprecated since 2025.1 in favor of
# "get_security_group:tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_security_group".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_security_groups_tags": "rule:get_security_group:tags"

# Update a security group
# PUT  /security-groups/{id}
# Intended scope(s): project
#"update_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_security_group":"rule:admin_or_owner" has been deprecated
# since W in favor of "update_security_group":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The security group API now supports system scope and default roles.

# Update the security group tags
# PUT  /security-groups/{id}/tags
# PUT  /security-groups/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_security_group:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_security_groups_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_security_group:tags":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_security_groups_tags": "rule:update_security_group:tags"

# Delete a security group
# DELETE  /security-groups/{id}
# Intended scope(s): project
#"delete_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_security_group":"rule:admin_or_owner" has been deprecated
# since W in favor of "delete_security_group":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The security group API now supports system scope and default roles.

# Delete the security group tags
# DELETE  /security-groups/{id}/tags
# DELETE  /security-groups/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_security_group:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_security_groups_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_security_group:tags":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_security_groups_tags": "rule:delete_security_group:tags"

# Create a security group rule
# POST  /security-group-rules
# Intended scope(s): project
#"create_security_group_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_security_group_rule":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "create_security_group_rule":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The security group API now supports system scope and default roles.

# Get a security group rule
# GET  /security-group-rules
# GET  /security-group-rules/{id}
# Intended scope(s): project
#"get_security_group_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner"

# DEPRECATED
# "get_security_group_rule":"rule:admin_owner_or_sg_owner" has been
# deprecated since W in favor of
# "get_security_group_rule":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:sg_owner".
# The security group API now supports system scope and default roles.

# Delete a security group rule
# DELETE  /security-group-rules/{id}
# Intended scope(s): project
#"delete_security_group_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_security_group_rule":"rule:admin_or_owner" has been
# deprecated since W in favor of
# "delete_security_group_rule":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The security group API now supports system scope and default roles.

# Create a segment
# POST  /segments
# Intended scope(s): project
#"create_segment": "rule:admin_only"

# DEPRECATED
# "create_segment":"rule:admin_only" has been deprecated since W in
# favor of "create_segment":"rule:admin_only".
# The segment API now supports project scope and default roles.

# Create the segment tags
# POST  /segments/{id}/tags
# Intended scope(s): project
#"create_segments_tags": "rule:admin_only"

# Get a segment
# GET  /segments
# GET  /segments/{id}
# Intended scope(s): project
#"get_segment": "rule:admin_only"

# DEPRECATED
# "get_segment":"rule:admin_only" has been deprecated since W in favor
# of "get_segment":"rule:admin_only".
# The segment API now supports project scope and default roles.

# Get the segment tags
# GET  /segments/{id}/tags
# GET  /segments/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_segments_tags": "rule:admin_only"

# Update a segment
# PUT  /segments/{id}
# Intended scope(s): project
#"update_segment": "rule:admin_only"

# DEPRECATED
# "update_segment":"rule:admin_only" has been deprecated since W in
# favor of "update_segment":"rule:admin_only".
# The segment API now supports project scope and default roles.

# Update the segment tags
# PUT  /segments/{id}/tags
# PUT  /segments/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_segments_tags": "rule:admin_only"

# Delete a segment
# DELETE  /segments/{id}
# Intended scope(s): project
#"delete_segment": "rule:admin_only"

# DEPRECATED
# "delete_segment":"rule:admin_only" has been deprecated since W in
# favor of "delete_segment":"rule:admin_only".
# The segment API now supports project scope and default roles.

# Delete the segment tags
# DELETE  /segments/{id}/tags
# DELETE  /segments/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_segments_tags": "rule:admin_only"

# Get service providers
# GET  /service-providers
# Intended scope(s): project
#"get_service_provider": "role:reader"

# DEPRECATED
# "get_service_provider":"rule:regular_user" has been deprecated since
# W in favor of "get_service_provider":"role:reader".
# The Service Providers API now supports project scope and default
# roles.

# Definition of a subnet that belongs to an external network
#"external_network": "field:subnets:router:external=True"

# Create a subnet
# POST  /subnets
# Intended scope(s): project
#"create_subnet": "(rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "create_subnet":"rule:admin_or_network_owner" has been deprecated
# since W in favor of "create_subnet":"(rule:admin_only) or
# (role:member and rule:network_owner)".
# The subnet API now supports system scope and default roles.

# Specify ``segment_id`` attribute when creating a subnet
# POST  /subnets
# Intended scope(s): project
#"create_subnet:segment_id": "rule:admin_only"

# DEPRECATED
# "create_subnet:segment_id":"rule:admin_only" has been deprecated
# since W in favor of "create_subnet:segment_id":"rule:admin_only".
# The subnet API now supports system scope and default roles.

# Specify ``service_types`` attribute when creating a subnet
# POST  /subnets
# Intended scope(s): project
#"create_subnet:service_types": "rule:admin_only"

# DEPRECATED
# "create_subnet:service_types":"rule:admin_only" has been deprecated
# since W in favor of "create_subnet:service_types":"rule:admin_only".
# The subnet API now supports system scope and default roles.

# Create the subnet tags
# POST  /subnets/{id}/tags
# Intended scope(s): project
#"create_subnet:tags": "role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "create_subnets_tags":"role:member and project_id:%(project_id)s or
# (rule:admin_only) or (role:member and rule:network_owner)" has been
# deprecated since 2025.1 in favor of
# "create_subnet:tags":"role:member and project_id:%(project_id)s or
# (rule:admin_only) or (role:member and rule:network_owner)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_subnets_tags": "rule:create_subnet:tags"

# Get a subnet
# GET  /subnets
# GET  /subnets/{id}
# Intended scope(s): project
#"get_subnet": "role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:reader and rule:network_owner)"

# DEPRECATED
# "get_subnet":"rule:shared or rule:external_network or
# rule:admin_or_owner" has been deprecated since W in favor of
# "get_subnet":"role:reader and project_id:%(project_id)s or
# rule:shared or rule:external_network or (rule:admin_only) or
# (role:reader and rule:network_owner)".
# The subnet API now supports system scope and default roles.

# Get ``segment_id`` attribute of a subnet
# GET  /subnets
# GET  /subnets/{id}
# Intended scope(s): project
#"get_subnet:segment_id": "rule:admin_only"

# DEPRECATED
# "get_subnet:segment_id":"rule:admin_only" has been deprecated since
# W in favor of "get_subnet:segment_id":"rule:admin_only".
# The subnet API now supports system scope and default roles.

# Get the subnet tags
# GET  /subnets/{id}/tags
# GET  /subnets/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_subnet:tags": "role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:reader and rule:network_owner)"

# DEPRECATED
# "get_subnets_tags":"role:reader and project_id:%(project_id)s or
# rule:shared or rule:external_network or (rule:admin_only) or
# (role:reader and rule:network_owner)" has been deprecated since
# 2025.1 in favor of "get_subnet:tags":"role:reader and
# project_id:%(project_id)s or rule:shared or rule:external_network or
# (rule:admin_only) or (role:reader and rule:network_owner)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_subnets_tags": "rule:get_subnet:tags"

# Update a subnet
# PUT  /subnets/{id}
# Intended scope(s): project
#"update_subnet": "role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "update_subnet":"rule:admin_or_network_owner" has been deprecated
# since W in favor of "update_subnet":"role:member and
# project_id:%(project_id)s or (rule:admin_only) or (role:member and
# rule:network_owner)".
# The subnet API now supports system scope and default roles.

# Update ``segment_id`` attribute of a subnet
# PUT  /subnets/{id}
# Intended scope(s): project
#"update_subnet:segment_id": "rule:admin_only"

# DEPRECATED
# "update_subnet:segment_id":"rule:admin_only" has been deprecated
# since W in favor of "update_subnet:segment_id":"rule:admin_only".
# The subnet API now supports system scope and default roles.

# Update ``service_types`` attribute of a subnet
# PUT  /subnets/{id}
# Intended scope(s): project
#"update_subnet:service_types": "rule:admin_only"

# DEPRECATED
# "update_subnet:service_types":"rule:admin_only" has been deprecated
# since W in favor of "update_subnet:service_types":"rule:admin_only".
# The subnet API now supports system scope and default roles.

# Update the subnet tags
# PUT  /subnets/{id}/tags
# PUT  /subnets/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_subnet:tags": "role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "update_subnets_tags":"role:member and project_id:%(project_id)s or
# (rule:admin_only) or (role:member and rule:network_owner)" has been
# deprecated since 2025.1 in favor of
# "update_subnet:tags":"role:member and project_id:%(project_id)s or
# (rule:admin_only) or (role:member and rule:network_owner)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_subnets_tags": "rule:update_subnet:tags"

# Delete a subnet
# DELETE  /subnets/{id}
# Intended scope(s): project
#"delete_subnet": "role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "delete_subnet":"rule:admin_or_network_owner" has been deprecated
# since W in favor of "delete_subnet":"role:member and
# project_id:%(project_id)s or (rule:admin_only) or (role:member and
# rule:network_owner)".
# The subnet API now supports system scope and default roles.

# Delete the subnet tags
# DELETE  /subnets/{id}/tags
# DELETE  /subnets/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_subnet:tags": "role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"

# DEPRECATED
# "delete_subnets_tags":"role:member and project_id:%(project_id)s or
# (rule:admin_only) or (role:member and rule:network_owner)" has been
# deprecated since 2025.1 in favor of
# "delete_subnet:tags":"role:member and project_id:%(project_id)s or
# (rule:admin_only) or (role:member and rule:network_owner)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_subnets_tags": "rule:delete_subnet:tags"

# Definition of a shared subnetpool
#"shared_subnetpools": "field:subnetpools:shared=True"

# Create a subnetpool
# POST  /subnetpools
# Intended scope(s): project
#"create_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_subnetpool":"rule:regular_user" has been deprecated since W
# in favor of "create_subnetpool":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The subnet pool API now supports system scope and default roles.

# Create a shared subnetpool
# POST  /subnetpools
# Intended scope(s): project
#"create_subnetpool:shared": "rule:admin_only"

# DEPRECATED
# "create_subnetpool:shared":"rule:admin_only" has been deprecated
# since W in favor of "create_subnetpool:shared":"rule:admin_only".
# The subnet pool API now supports system scope and default roles.

# Specify ``is_default`` attribute when creating a subnetpool
# POST  /subnetpools
# Intended scope(s): project
#"create_subnetpool:is_default": "rule:admin_only"

# DEPRECATED
# "create_subnetpool:is_default":"rule:admin_only" has been deprecated
# since W in favor of
# "create_subnetpool:is_default":"rule:admin_only".
# The subnet pool API now supports system scope and default roles.

# Create the subnetpool tags
# POST  /subnetpools/{id}/tags
# Intended scope(s): project
#"create_subnetpool:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_subnetpools_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_subnetpool:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_subnetpools_tags": "rule:create_subnetpool:tags"

# Get a subnetpool
# GET  /subnetpools
# GET  /subnetpools/{id}
# Intended scope(s): project
#"get_subnetpool": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"

# DEPRECATED
# "get_subnetpool":"rule:admin_or_owner or rule:shared_subnetpools"
# has been deprecated since W in favor of
# "get_subnetpool":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_subnetpools".
# The subnet pool API now supports system scope and default roles.

# Get the subnetpool tags
# GET  /subnetpools/{id}/tags
# GET  /subnetpools/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_subnetpool:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"

# DEPRECATED
# "get_subnetpools_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_subnetpools" has been
# deprecated since 2025.1 in favor of
# "get_subnetpool:tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s) or rule:shared_subnetpools".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_subnetpools_tags": "rule:get_subnetpool:tags"

# Update a subnetpool
# PUT  /subnetpools/{id}
# Intended scope(s): project
#"update_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_subnetpool":"rule:admin_or_owner" has been deprecated since
# W in favor of "update_subnetpool":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The subnet pool API now supports system scope and default roles.

# Update ``is_default`` attribute of a subnetpool
# PUT  /subnetpools/{id}
# Intended scope(s): project
#"update_subnetpool:is_default": "rule:admin_only"

# DEPRECATED
# "update_subnetpool:is_default":"rule:admin_only" has been deprecated
# since W in favor of
# "update_subnetpool:is_default":"rule:admin_only".
# The subnet pool API now supports system scope and default roles.

# Update the subnetpool tags
# PUT  /subnetpools/{id}/tags
# PUT  /subnetpools/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_subnetpool:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_subnetpools_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_subnetpool:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_subnetpools_tags": "rule:update_subnetpool:tags"

# Delete a subnetpool
# DELETE  /subnetpools/{id}
# Intended scope(s): project
#"delete_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_subnetpool":"rule:admin_or_owner" has been deprecated since
# W in favor of "delete_subnetpool":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The subnet pool API now supports system scope and default roles.

# Delete the subnetpool tags
# DELETE  /subnetpools/{id}/tags
# DELETE  /subnetpools/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_subnetpool:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_subnetpools_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_subnetpool:tags":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_subnetpools_tags": "rule:delete_subnetpool:tags"

# Onboard existing subnet into a subnetpool
# PUT  /subnetpools/{id}/onboard_network_subnets
# Intended scope(s): project
#"onboard_network_subnets": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "onboard_network_subnets":"rule:admin_or_owner" has been deprecated
# since W in favor of "onboard_network_subnets":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The subnet pool API now supports system scope and default roles.

# Add prefixes to a subnetpool
# PUT  /subnetpools/{id}/add_prefixes
# Intended scope(s): project
#"add_prefixes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "add_prefixes":"rule:admin_or_owner" has been deprecated since W in
# favor of "add_prefixes":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The subnet pool API now supports system scope and default roles.

# Remove unallocated prefixes from a subnetpool
# PUT  /subnetpools/{id}/remove_prefixes
# Intended scope(s): project
#"remove_prefixes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "remove_prefixes":"rule:admin_or_owner" has been deprecated since W
# in favor of "remove_prefixes":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The subnet pool API now supports system scope and default roles.

# Create a trunk
# POST  /trunks
# Intended scope(s): project
#"create_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_trunk":"rule:regular_user" has been deprecated since W in
# favor of "create_trunk":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.

# Create the trunk tags
# POST  /trunks/{id}/tags
# Intended scope(s): project
#"create_trunk:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_trunks_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "create_trunk:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "create_trunks_tags": "rule:create_trunk:tags"

# Get a trunk
# GET  /trunks
# GET  /trunks/{id}
# Intended scope(s): project
#"get_trunk": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_trunk":"rule:admin_or_owner" has been deprecated since W in
# favor of "get_trunk":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.

# Get the trunk tags
# GET  /trunks/{id}/tags
# GET  /trunks/{id}/tags/{tag_id}
# Intended scope(s): project
#"get_trunk:tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_trunks_tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "get_trunk:tags":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "get_trunks_tags": "rule:get_trunk:tags"

# Update a trunk
# PUT  /trunks/{id}
# Intended scope(s): project
#"update_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_trunk":"rule:admin_or_owner" has been deprecated since W in
# favor of "update_trunk":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.

# Update the trunk tags
# PUT  /trunks/{id}/tags
# PUT  /trunks/{id}/tags/{tag_id}
# Intended scope(s): project
#"update_trunk:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_trunks_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "update_trunk:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "update_trunks_tags": "rule:update_trunk:tags"

# Delete a trunk
# DELETE  /trunks/{id}
# Intended scope(s): project
#"delete_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_trunk":"rule:admin_or_owner" has been deprecated since W in
# favor of "delete_trunk":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.

# Delete a trunk
# DELETE  /trunks/{id}/tags
# DELETE  /trunks/{id}/tags/{tag_id}
# Intended scope(s): project
#"delete_trunk:tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_trunks_tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)" has been deprecated since 2025.1 in
# favor of "delete_trunk:tags":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# Name of the rule is changed.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "delete_trunks_tags": "rule:delete_trunk:tags"

# List subports attached to a trunk
# GET  /trunks/{id}/get_subports
# Intended scope(s): project
#"get_subports": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "get_subports":"rule:regular_user" has been deprecated since W in
# favor of "get_subports":"(rule:admin_only) or (role:reader and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.

# Add subports to a trunk
# PUT  /trunks/{id}/add_subports
# Intended scope(s): project
#"add_subports": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "add_subports":"rule:admin_or_owner" has been deprecated since W in
# favor of "add_subports":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.

# Delete subports from a trunk
# PUT  /trunks/{id}/remove_subports
# Intended scope(s): project
#"remove_subports": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "remove_subports":"rule:admin_or_owner" has been deprecated since W
# in favor of "remove_subports":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The trunks API now supports system scope and default roles.