Policy configuration¶
Warning
JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Configuration¶
The following is an overview of all available policies in Keystone.
For a sample configuration file, refer to policy.yaml.
keystone¶
admin_required- Default
role:admin or is_admin:1
(no description provided)
service_role- Default
role:service
(no description provided)
service_or_admin- Default
rule:admin_required or rule:service_role
(no description provided)
owner- Default
user_id:%(user_id)s
(no description provided)
admin_or_owner- Default
rule:admin_required or rule:owner
(no description provided)
token_subject- Default
user_id:%(target.token.user_id)s
(no description provided)
admin_or_token_subject- Default
rule:admin_required or rule:token_subject
(no description provided)
service_admin_or_token_subject- Default
rule:service_or_admin or rule:token_subject
(no description provided)
identity:get_access_rule- Default
(role:reader and system_scope:all) or user_id:%(target.user.id)s- Operations
GET
/v3/users/{user_id}/access_rules/{access_rule_id}HEAD
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types
system
project
Show access rule details.
identity:list_access_rules- Default
(role:reader and system_scope:all) or user_id:%(target.user.id)s- Operations
GET
/v3/users/{user_id}/access_rulesHEAD
/v3/users/{user_id}/access_rules
- Scope Types
system
project
List access rules for a user.
identity:delete_access_rule- Default
(role:admin and system_scope:all) or user_id:%(target.user.id)s- Operations
DELETE
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types
system
project
Delete an access_rule.
identity:authorize_request_token- Default
rule:admin_required- Operations
PUT
/v3/OS-OAUTH1/authorize/{request_token_id}
- Scope Types
project
Authorize OAUTH1 request token.
identity:get_access_token- Default
rule:admin_required- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types
project
Get OAUTH1 access token for user by access token ID.
identity:get_access_token_role- Default
rule:admin_required- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
- Scope Types
project
Get role for user OAUTH1 access token.
identity:list_access_tokens- Default
rule:admin_required- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens
- Scope Types
project
List OAUTH1 access tokens for user.
identity:list_access_token_roles- Default
rule:admin_required- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
- Scope Types
project
List OAUTH1 access token roles.
identity:delete_access_token- Default
rule:admin_required- Operations
DELETE
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types
project
Delete OAUTH1 access token.
identity:get_application_credential- Default
(rule:admin_required) or (role:reader and system_scope:all) or rule:owner- Operations
GET
/v3/users/{user_id}/application_credentials/{application_credential_id}HEAD
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types
system
project
Show application credential details.
identity:list_application_credentials- Default
(rule:admin_required) or (role:reader and system_scope:all) or rule:owner- Operations
GET
/v3/users/{user_id}/application_credentialsHEAD
/v3/users/{user_id}/application_credentials
- Scope Types
system
project
List application credentials for a user.
identity:create_application_credential- Default
user_id:%(user_id)s- Operations
POST
/v3/users/{user_id}/application_credentials
- Scope Types
project
Create an application credential.
identity:delete_application_credential- Default
rule:admin_or_owner- Operations
DELETE
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types
system
project
Delete an application credential.
identity:get_auth_catalog- Default
<empty string>
- Operations
GET
/v3/auth/catalogHEAD
/v3/auth/catalog
Get service catalog.
identity:get_auth_projects- Default
<empty string>
- Operations
GET
/v3/auth/projectsHEAD
/v3/auth/projects
List all projects a user has access to via role assignments.
identity:get_auth_domains- Default
<empty string>
- Operations
GET
/v3/auth/domainsHEAD
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:get_auth_system- Default
<empty string>
- Operations
GET
/v3/auth/systemHEAD
/v3/auth/system
List systems a user has access to via role assignments.
identity:get_consumer- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types
system
project
Show OAUTH1 consumer details.
identity:list_consumers- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-OAUTH1/consumers
- Scope Types
system
project
List OAUTH1 consumers.
identity:create_consumer- Default
rule:admin_required- Operations
POST
/v3/OS-OAUTH1/consumers
- Scope Types
system
project
Create OAUTH1 consumer.
identity:update_consumer- Default
rule:admin_required- Operations
PATCH
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types
system
project
Update OAUTH1 consumer.
identity:delete_consumer- Default
rule:admin_required- Operations
DELETE
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types
system
project
Delete OAUTH1 consumer.
identity:get_credential- Default
(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s- Operations
GET
/v3/credentials/{credential_id}
- Scope Types
system
domain
project
Show credentials details.
identity:list_credentials- Default
(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s- Operations
GET
/v3/credentials
- Scope Types
system
domain
project
List credentials.
identity:create_credential- Default
(rule:admin_required) or user_id:%(target.credential.user_id)s- Operations
POST
/v3/credentials
- Scope Types
system
domain
project
Create credential.
identity:update_credential- Default
(rule:admin_required) or user_id:%(target.credential.user_id)s- Operations
PATCH
/v3/credentials/{credential_id}
- Scope Types
system
domain
project
Update credential.
identity:delete_credential- Default
(rule:admin_required) or user_id:%(target.credential.user_id)s- Operations
DELETE
/v3/credentials/{credential_id}
- Scope Types
system
domain
project
Delete credential.
identity:get_domain- Default
rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s- Operations
GET
/v3/domains/{domain_id}
- Scope Types
system
domain
project
Show domain details.
identity:list_domains- Default
rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)- Operations
GET
/v3/domains
- Scope Types
system
domain
project
List domains.
identity:create_domain- Default
rule:admin_required- Operations
POST
/v3/domains
- Scope Types
system
project
Create domain.
identity:update_domain- Default
rule:admin_required- Operations
PATCH
/v3/domains/{domain_id}
- Scope Types
system
project
Update domain.
identity:delete_domain- Default
rule:admin_required- Operations
DELETE
/v3/domains/{domain_id}
- Scope Types
system
project
Delete domain.
identity:create_domain_config- Default
rule:admin_required- Operations
PUT
/v3/domains/{domain_id}/config
- Scope Types
system
project
Create domain configuration.
identity:get_domain_config- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/domains/{domain_id}/configHEAD
/v3/domains/{domain_id}/configGET
/v3/domains/{domain_id}/config/{group}HEAD
/v3/domains/{domain_id}/config/{group}GET
/v3/domains/{domain_id}/config/{group}/{option}HEAD
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types
system
project
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
identity:get_security_compliance_domain_config- Default
<empty string>
- Operations
GET
/v3/domains/{domain_id}/config/security_complianceHEAD
/v3/domains/{domain_id}/config/security_complianceGET
/v3/domains/{domain_id}/config/security_compliance/{option}HEAD
/v3/domains/{domain_id}/config/security_compliance/{option}
- Scope Types
system
domain
project
Get security compliance domain configuration for either a domain or a specific option in a domain.
identity:update_domain_config- Default
rule:admin_required- Operations
PATCH
/v3/domains/{domain_id}/configPATCH
/v3/domains/{domain_id}/config/{group}PATCH
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types
system
project
Update domain configuration for either a domain, specific group or a specific option in a group.
identity:delete_domain_config- Default
rule:admin_required- Operations
DELETE
/v3/domains/{domain_id}/configDELETE
/v3/domains/{domain_id}/config/{group}DELETE
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types
system
project
Delete domain configuration for either a domain, specific group or a specific option in a group.
identity:get_domain_config_default- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/domains/config/defaultHEAD
/v3/domains/config/defaultGET
/v3/domains/config/{group}/defaultHEAD
/v3/domains/config/{group}/defaultGET
/v3/domains/config/{group}/{option}/defaultHEAD
/v3/domains/config/{group}/{option}/default
- Scope Types
system
project
Get domain configuration default for either a domain, specific group or a specific option in a group.
identity:ec2_get_credential- Default
(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s- Operations
GET
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types
system
project
Show ec2 credential details.
identity:ec2_list_credentials- Default
(rule:admin_required) or (role:reader and system_scope:all) or rule:owner- Operations
GET
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types
system
project
List ec2 credentials.
identity:ec2_create_credential- Default
rule:admin_or_owner- Operations
POST
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types
system
project
Create ec2 credential.
identity:ec2_delete_credential- Default
(rule:admin_required) or user_id:%(target.credential.user_id)s- Operations
DELETE
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types
system
project
Delete ec2 credential.
identity:get_endpoint- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/endpoints/{endpoint_id}
- Scope Types
system
project
Show endpoint details.
identity:list_endpoints- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/endpoints
- Scope Types
system
project
List endpoints.
identity:create_endpoint- Default
rule:admin_required- Operations
POST
/v3/endpoints
- Scope Types
system
project
Create endpoint.
identity:update_endpoint- Default
rule:admin_required- Operations
PATCH
/v3/endpoints/{endpoint_id}
- Scope Types
system
project
Update endpoint.
identity:delete_endpoint- Default
rule:admin_required- Operations
DELETE
/v3/endpoints/{endpoint_id}
- Scope Types
system
project
Delete endpoint.
identity:create_endpoint_group- Default
rule:admin_required- Operations
POST
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types
system
project
Create endpoint group.
identity:list_endpoint_groups- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types
system
project
List endpoint groups.
identity:get_endpoint_group- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types
system
project
Get endpoint group.
identity:update_endpoint_group- Default
rule:admin_required- Operations
PATCH
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types
system
project
Update endpoint group.
identity:delete_endpoint_group- Default
rule:admin_required- Operations
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types
system
project
Delete endpoint group.
identity:list_projects_associated_with_endpoint_group- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
- Scope Types
system
project
List all projects associated with a specific endpoint group.
identity:list_endpoints_associated_with_endpoint_group- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
- Scope Types
system
project
List all endpoints associated with an endpoint group.
identity:get_endpoint_group_in_project- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types
system
project
Check if an endpoint group is associated with a project.
identity:list_endpoint_groups_for_project- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
- Scope Types
system
project
List endpoint groups associated with a specific project.
identity:add_endpoint_group_to_project- Default
rule:admin_required- Operations
PUT
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types
system
project
Allow a project to access an endpoint group.
identity:remove_endpoint_group_from_project- Default
rule:admin_required- Operations
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types
system
project
Remove endpoint group from project.
identity:check_grant- Default
(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))- Operations
HEAD
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}GET
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}HEAD
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}GET
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}HEAD
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}GET
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}GET
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}HEAD
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsGET
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsHEAD
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projectsGET
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projectsHEAD
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsGET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsHEAD
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projectsGET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types
system
domain
project
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:list_grants- Default
(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))- Operations
GET
/v3/projects/{project_id}/users/{user_id}/rolesHEAD
/v3/projects/{project_id}/users/{user_id}/rolesGET
/v3/projects/{project_id}/groups/{group_id}/rolesHEAD
/v3/projects/{project_id}/groups/{group_id}/rolesGET
/v3/domains/{domain_id}/users/{user_id}/rolesHEAD
/v3/domains/{domain_id}/users/{user_id}/rolesGET
/v3/domains/{domain_id}/groups/{group_id}/rolesHEAD
/v3/domains/{domain_id}/groups/{group_id}/rolesGET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projectsGET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
- Scope Types
system
domain
project
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
identity:create_grant- Default
(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)- Operations
PUT
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}PUT
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}PUT
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}PUT
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}PUT
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsPUT
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projectsPUT
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsPUT
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types
system
domain
project
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:revoke_grant- Default
(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)- Operations
DELETE
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}DELETE
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}DELETE
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}DELETE
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}DELETE
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsDELETE
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projectsDELETE
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projectsDELETE
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types
system
domain
project
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
identity:list_system_grants_for_user- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles
- Scope Types
system
project
List all grants a specific user has on the system.
identity:check_system_grant_for_user- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types
system
project
Check if a user has a role on the system.
identity:create_system_grant_for_user- Default
rule:admin_required- Operations
[‘PUT’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types
system
project
Grant a user a role on the system.
identity:revoke_system_grant_for_user- Default
rule:admin_required- Operations
[‘DELETE’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types
system
project
Remove a role from a user on the system.
identity:list_system_grants_for_group- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles
- Scope Types
system
project
List all grants a specific group has on the system.
identity:check_system_grant_for_group- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types
system
project
Check if a group has a role on the system.
identity:create_system_grant_for_group- Default
rule:admin_required- Operations
[‘PUT’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types
system
project
Grant a group a role on the system.
identity:revoke_system_grant_for_group- Default
rule:admin_required- Operations
[‘DELETE’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types
system
project
Remove a role from a group on the system.
identity:get_group- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)- Operations
GET
/v3/groups/{group_id}HEAD
/v3/groups/{group_id}
- Scope Types
system
domain
project
Show group details.
identity:list_groups- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)- Operations
GET
/v3/groupsHEAD
/v3/groups
- Scope Types
system
domain
project
List groups.
identity:list_groups_for_user- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s- Operations
GET
/v3/users/{user_id}/groupsHEAD
/v3/users/{user_id}/groups
- Scope Types
system
domain
project
List groups to which a user belongs.
identity:create_group- Default
rule:admin_required- Operations
POST
/v3/groups
- Scope Types
system
domain
project
Create group.
identity:update_group- Default
rule:admin_required- Operations
PATCH
/v3/groups/{group_id}
- Scope Types
system
domain
project
Update group.
identity:delete_group- Default
rule:admin_required- Operations
DELETE
/v3/groups/{group_id}
- Scope Types
system
domain
project
Delete group.
identity:list_users_in_group- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)- Operations
GET
/v3/groups/{group_id}/usersHEAD
/v3/groups/{group_id}/users
- Scope Types
system
domain
project
List members of a specific group.
identity:remove_user_from_group- Default
rule:admin_required- Operations
DELETE
/v3/groups/{group_id}/users/{user_id}
- Scope Types
system
domain
project
Remove user from group.
identity:check_user_in_group- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)- Operations
HEAD
/v3/groups/{group_id}/users/{user_id}GET
/v3/groups/{group_id}/users/{user_id}
- Scope Types
system
domain
project
Check whether a user is a member of a group.
identity:add_user_to_group- Default
rule:admin_required- Operations
PUT
/v3/groups/{group_id}/users/{user_id}
- Scope Types
system
domain
project
Add user to group.
identity:create_identity_provider- Default
rule:admin_required- Operations
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
project
Create identity provider.
identity:list_identity_providers- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/identity_providersHEAD
/v3/OS-FEDERATION/identity_providers
- Scope Types
system
project
List identity providers.
identity:get_identity_provider- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}HEAD
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
project
Get identity provider.
identity:update_identity_provider- Default
rule:admin_required- Operations
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
project
Update identity provider.
identity:delete_identity_provider- Default
rule:admin_required- Operations
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
project
Delete identity provider.
identity:get_implied_role- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
project
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:list_implied_roles- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/roles/{prior_role_id}/impliesHEAD
/v3/roles/{prior_role_id}/implies
- Scope Types
system
project
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
identity:create_implied_role- Default
rule:admin_required- Operations
PUT
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
project
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:delete_implied_role- Default
rule:admin_required- Operations
DELETE
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
project
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
identity:list_role_inference_rules- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/role_inferencesHEAD
/v3/role_inferences
- Scope Types
system
project
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:check_implied_role- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
HEAD
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
project
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:get_limit_model- Default
<empty string>
- Operations
GET
/v3/limits/modelHEAD
/v3/limits/model
- Scope Types
system
domain
project
Get limit enforcement model.
identity:get_limit- Default
rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)- Operations
GET
/v3/limits/{limit_id}HEAD
/v3/limits/{limit_id}
- Scope Types
system
domain
project
Show limit details.
identity:list_limits- Default
<empty string>
- Operations
GET
/v3/limitsHEAD
/v3/limits
- Scope Types
system
domain
project
List limits.
identity:create_limits- Default
rule:admin_required- Operations
POST
/v3/limits
- Scope Types
system
project
Create limits.
identity:update_limit- Default
rule:admin_required- Operations
PATCH
/v3/limits/{limit_id}
- Scope Types
system
project
Update limit.
identity:delete_limit- Default
rule:admin_required- Operations
DELETE
/v3/limits/{limit_id}
- Scope Types
system
project
Delete limit.
identity:create_mapping- Default
rule:admin_required- Operations
PUT
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
project
Create a new federated mapping containing one or more sets of rules.
identity:get_mapping- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/mappings/{mapping_id}HEAD
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
project
Get a federated mapping.
identity:list_mappings- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/mappingsHEAD
/v3/OS-FEDERATION/mappings
- Scope Types
system
project
List federated mappings.
identity:delete_mapping- Default
rule:admin_required- Operations
DELETE
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
project
Delete a federated mapping.
identity:update_mapping- Default
rule:admin_required- Operations
PATCH
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
project
Update a federated mapping.
identity:get_policy- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/policies/{policy_id}
- Scope Types
system
project
Show policy details.
identity:list_policies- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/policies
- Scope Types
system
project
List policies.
identity:create_policy- Default
rule:admin_required- Operations
POST
/v3/policies
- Scope Types
system
project
Create policy.
identity:update_policy- Default
rule:admin_required- Operations
PATCH
/v3/policies/{policy_id}
- Scope Types
system
project
Update policy.
identity:delete_policy- Default
rule:admin_required- Operations
DELETE
/v3/policies/{policy_id}
- Scope Types
system
project
Delete policy.
identity:create_policy_association_for_endpoint- Default
rule:admin_required- Operations
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types
system
project
Associate a policy to a specific endpoint.
identity:check_policy_association_for_endpoint- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types
system
project
Check policy association for endpoint.
identity:delete_policy_association_for_endpoint- Default
rule:admin_required- Operations
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types
system
project
Delete policy association for endpoint.
identity:create_policy_association_for_service- Default
rule:admin_required- Operations
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types
system
project
Associate a policy to a specific service.
identity:check_policy_association_for_service- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types
system
project
Check policy association for service.
identity:delete_policy_association_for_service- Default
rule:admin_required- Operations
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types
system
project
Delete policy association for service.
identity:create_policy_association_for_region_and_service- Default
rule:admin_required- Operations
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types
system
project
Associate a policy to a specific region and service combination.
identity:check_policy_association_for_region_and_service- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types
system
project
Check policy association for region and service.
identity:delete_policy_association_for_region_and_service- Default
rule:admin_required- Operations
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types
system
project
Delete policy association for region and service.
identity:get_policy_for_endpoint- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policyHEAD
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
- Scope Types
system
project
Get policy for endpoint.
identity:list_endpoints_for_policy- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
- Scope Types
system
project
List endpoints for policy.
identity:get_project- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s- Operations
GET
/v3/projects/{project_id}
- Scope Types
system
domain
project
Show project details.
identity:list_projects- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)- Operations
GET
/v3/projects
- Scope Types
system
domain
project
List projects.
identity:list_user_projects- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s- Operations
GET
/v3/users/{user_id}/projects
- Scope Types
system
domain
project
List projects for user.
identity:create_project- Default
rule:admin_required- Operations
POST
/v3/projects
- Scope Types
system
domain
project
Create project.
identity:update_project- Default
rule:admin_required- Operations
PATCH
/v3/projects/{project_id}
- Scope Types
system
domain
project
Update project.
identity:delete_project- Default
rule:admin_required- Operations
DELETE
/v3/projects/{project_id}
- Scope Types
system
domain
project
Delete project.
identity:list_project_tags- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s- Operations
GET
/v3/projects/{project_id}/tagsHEAD
/v3/projects/{project_id}/tags
- Scope Types
system
domain
project
List tags for a project.
identity:get_project_tag- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s- Operations
GET
/v3/projects/{project_id}/tags/{value}HEAD
/v3/projects/{project_id}/tags/{value}
- Scope Types
system
domain
project
Check if project contains a tag.
identity:update_project_tags- Default
rule:admin_required- Operations
PUT
/v3/projects/{project_id}/tags
- Scope Types
system
domain
project
Replace all tags on a project with the new set of tags.
identity:create_project_tag- Default
rule:admin_required- Operations
PUT
/v3/projects/{project_id}/tags/{value}
- Scope Types
system
domain
project
Add a single tag to a project.
identity:delete_project_tags- Default
rule:admin_required- Operations
DELETE
/v3/projects/{project_id}/tags
- Scope Types
system
domain
project
Remove all tags from a project.
identity:delete_project_tag- Default
rule:admin_required- Operations
DELETE
/v3/projects/{project_id}/tags/{value}
- Scope Types
system
domain
project
Delete a specified tag from project.
identity:list_projects_for_endpoint- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
- Scope Types
system
project
List projects allowed to access an endpoint.
identity:add_endpoint_to_project- Default
rule:admin_required- Operations
PUT
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types
system
project
Allow project to access an endpoint.
identity:check_endpoint_in_project- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}HEAD
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types
system
project
Check if a project is allowed to access an endpoint.
identity:list_endpoints_for_project- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints
- Scope Types
system
project
List the endpoints a project is allowed to access.
identity:remove_endpoint_from_project- Default
rule:admin_required- Operations
DELETE
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types
system
project
Remove access to an endpoint from a project that has previously been given explicit access.
identity:create_protocol- Default
rule:admin_required- Operations
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
project
Create federated protocol.
identity:update_protocol- Default
rule:admin_required- Operations
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
project
Update federated protocol.
identity:get_protocol- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
project
Get federated protocol.
identity:list_protocols- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
- Scope Types
system
project
List federated protocols.
identity:delete_protocol- Default
rule:admin_required- Operations
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
project
Delete federated protocol.
identity:get_region- Default
<empty string>
- Operations
GET
/v3/regions/{region_id}HEAD
/v3/regions/{region_id}
- Scope Types
system
domain
project
Show region details.
identity:list_regions- Default
<empty string>
- Operations
GET
/v3/regionsHEAD
/v3/regions
- Scope Types
system
domain
project
List regions.
identity:create_region- Default
rule:admin_required- Operations
POST
/v3/regionsPUT
/v3/regions/{region_id}
- Scope Types
system
project
Create region.
identity:update_region- Default
rule:admin_required- Operations
PATCH
/v3/regions/{region_id}
- Scope Types
system
project
Update region.
identity:delete_region- Default
rule:admin_required- Operations
DELETE
/v3/regions/{region_id}
- Scope Types
system
project
Delete region.
identity:get_registered_limit- Default
<empty string>
- Operations
GET
/v3/registered_limits/{registered_limit_id}HEAD
/v3/registered_limits/{registered_limit_id}
- Scope Types
system
domain
project
Show registered limit details.
identity:list_registered_limits- Default
<empty string>
- Operations
GET
/v3/registered_limitsHEAD
/v3/registered_limits
- Scope Types
system
domain
project
List registered limits.
identity:create_registered_limits- Default
rule:admin_required- Operations
POST
/v3/registered_limits
- Scope Types
system
project
Create registered limits.
identity:update_registered_limit- Default
rule:admin_required- Operations
PATCH
/v3/registered_limits/{registered_limit_id}
- Scope Types
system
project
Update registered limit.
identity:delete_registered_limit- Default
rule:admin_required- Operations
DELETE
/v3/registered_limits/{registered_limit_id}
- Scope Types
system
project
Delete registered limit.
identity:list_revoke_events- Default
rule:service_or_admin- Operations
GET
/v3/OS-REVOKE/events
- Scope Types
system
project
List revocation events.
identity:get_role- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/roles/{role_id}HEAD
/v3/roles/{role_id}
- Scope Types
system
domain
project
Show role details.
identity:list_roles- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/rolesHEAD
/v3/roles
- Scope Types
system
domain
project
List roles.
identity:create_role- Default
rule:admin_required- Operations
POST
/v3/roles
- Scope Types
system
project
Create role.
identity:update_role- Default
rule:admin_required- Operations
PATCH
/v3/roles/{role_id}
- Scope Types
system
project
Update role.
identity:delete_role- Default
rule:admin_required- Operations
DELETE
/v3/roles/{role_id}
- Scope Types
system
project
Delete role.
identity:get_domain_role- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/roles/{role_id}HEAD
/v3/roles/{role_id}
- Scope Types
system
project
Show domain role.
identity:list_domain_roles- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/roles?domain_id={domain_id}HEAD
/v3/roles?domain_id={domain_id}
- Scope Types
system
project
List domain roles.
identity:create_domain_role- Default
rule:admin_required- Operations
POST
/v3/roles
- Scope Types
system
project
Create domain role.
identity:update_domain_role- Default
rule:admin_required- Operations
PATCH
/v3/roles/{role_id}
- Scope Types
system
project
Update domain role.
identity:delete_domain_role- Default
rule:admin_required- Operations
DELETE
/v3/roles/{role_id}
- Scope Types
system
project
Delete domain role.
identity:list_role_assignments- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)- Operations
GET
/v3/role_assignmentsHEAD
/v3/role_assignments
- Scope Types
system
domain
project
List role assignments.
identity:list_role_assignments_for_tree- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)- Operations
GET
/v3/role_assignments?include_subtreeHEAD
/v3/role_assignments?include_subtree
- Scope Types
system
domain
project
List all role assignments for a given tree of hierarchical projects.
identity:get_service- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/services/{service_id}
- Scope Types
system
project
Show service details.
identity:list_services- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/services
- Scope Types
system
project
List services.
identity:create_service- Default
rule:admin_required- Operations
POST
/v3/services
- Scope Types
system
project
Create service.
identity:update_service- Default
rule:admin_required- Operations
PATCH
/v3/services/{service_id}
- Scope Types
system
project
Update service.
identity:delete_service- Default
rule:admin_required- Operations
DELETE
/v3/services/{service_id}
- Scope Types
system
project
Delete service.
identity:create_service_provider- Default
rule:admin_required- Operations
PUT
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
project
Create federated service provider.
identity:list_service_providers- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/service_providersHEAD
/v3/OS-FEDERATION/service_providers
- Scope Types
system
project
List federated service providers.
identity:get_service_provider- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-FEDERATION/service_providers/{service_provider_id}HEAD
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
project
Get federated service provider.
identity:update_service_provider- Default
rule:admin_required- Operations
PATCH
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
project
Update federated service provider.
identity:delete_service_provider- Default
rule:admin_required- Operations
DELETE
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
project
Delete federated service provider.
identity:revocation_list- Default
rule:service_or_admin- Operations
GET
/v3/auth/tokens/OS-PKI/revoked
- Scope Types
system
project
List revoked PKI tokens.
identity:check_token- Default
rule:admin_required or (role:reader and system_scope:all) or rule:token_subject- Operations
HEAD
/v3/auth/tokens
- Scope Types
system
domain
project
Check a token.
identity:validate_token- Default
rule:admin_required or (role:reader and system_scope:all) or rule:service_role or rule:token_subject- Operations
GET
/v3/auth/tokens
- Scope Types
system
domain
project
Validate a token.
identity:revoke_token- Default
rule:admin_required or rule:token_subject- Operations
DELETE
/v3/auth/tokens
- Scope Types
system
domain
project
Revoke a token.
identity:create_trust- Default
user_id:%(trust.trustor_user_id)s- Operations
POST
/v3/OS-TRUST/trusts
- Scope Types
project
Create trust.
identity:list_trusts- Default
rule:admin_required or (role:reader and system_scope:all)- Operations
GET
/v3/OS-TRUST/trustsHEAD
/v3/OS-TRUST/trusts
- Scope Types
system
project
List trusts.
identity:list_trusts_for_trustor- Default
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)- Operations
GET
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}HEAD
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
- Scope Types
system
project
List trusts for trustor.
identity:list_trusts_for_trustee- Default
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)- Operations
GET
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}HEAD
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
- Scope Types
system
project
List trusts for trustee.
identity:list_roles_for_trust- Default
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)- Operations
GET
/v3/OS-TRUST/trusts/{trust_id}/rolesHEAD
/v3/OS-TRUST/trusts/{trust_id}/roles
- Scope Types
system
project
List roles delegated by a trust.
identity:get_role_for_trust- Default
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)- Operations
GET
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
- Scope Types
system
project
Check if trust delegates a particular role.
identity:delete_trust- Default
rule:admin_required or user_id:%(target.trust.trustor_user_id)s- Operations
DELETE
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types
system
project
Revoke trust.
identity:get_trust- Default
(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)- Operations
GET
/v3/OS-TRUST/trusts/{trust_id}HEAD
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types
system
project
Get trust.
identity:get_user- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s- Operations
GET
/v3/users/{user_id}HEAD
/v3/users/{user_id}
- Scope Types
system
domain
project
Show user details.
identity:list_users- Default
(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)- Operations
GET
/v3/usersHEAD
/v3/users
- Scope Types
system
domain
project
List users.
identity:list_projects_for_user- Default
<empty string>
- Operations
GET `` /v3/auth/projects``
List all projects a user has access to via role assignments.
identity:list_domains_for_user- Default
<empty string>
- Operations
GET
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:create_user- Default
rule:admin_required- Operations
POST
/v3/users
- Scope Types
system
domain
project
Create a user.
identity:update_user- Default
rule:admin_required- Operations
PATCH
/v3/users/{user_id}
- Scope Types
system
domain
project
Update a user, including administrative password resets.
identity:delete_user- Default
rule:admin_required- Operations
DELETE
/v3/users/{user_id}
- Scope Types
system
domain
project
Delete a user.
