Policy configuration¶
Warning
JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Configuration¶
The following is an overview of all available policies in Keystone.
For a sample configuration file, refer to policy.yaml.
keystone¶
admin_required
- Default
role:admin or is_admin:1
(no description provided)
service_role
- Default
role:service
(no description provided)
service_or_admin
- Default
rule:admin_required or rule:service_role
(no description provided)
owner
- Default
user_id:%(user_id)s
(no description provided)
admin_or_owner
- Default
rule:admin_required or rule:owner
(no description provided)
token_subject
- Default
user_id:%(target.token.user_id)s
(no description provided)
admin_or_token_subject
- Default
rule:admin_required or rule:token_subject
(no description provided)
service_admin_or_token_subject
- Default
rule:service_or_admin or rule:token_subject
(no description provided)
identity:get_access_rule
- Default
(role:reader and system_scope:all) or user_id:%(target.user.id)s
- Operations
GET
/v3/users/{user_id}/access_rules/{access_rule_id}
HEAD
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types
system
project
Show access rule details.
identity:list_access_rules
- Default
(role:reader and system_scope:all) or user_id:%(target.user.id)s
- Operations
GET
/v3/users/{user_id}/access_rules
HEAD
/v3/users/{user_id}/access_rules
- Scope Types
system
project
List access rules for a user.
identity:delete_access_rule
- Default
(role:admin and system_scope:all) or user_id:%(target.user.id)s
- Operations
DELETE
/v3/users/{user_id}/access_rules/{access_rule_id}
- Scope Types
system
project
Delete an access_rule.
identity:authorize_request_token
- Default
rule:admin_required
- Operations
PUT
/v3/OS-OAUTH1/authorize/{request_token_id}
- Scope Types
project
Authorize OAUTH1 request token.
identity:get_access_token
- Default
rule:admin_required
- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types
project
Get OAUTH1 access token for user by access token ID.
identity:get_access_token_role
- Default
rule:admin_required
- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
- Scope Types
project
Get role for user OAUTH1 access token.
identity:list_access_tokens
- Default
rule:admin_required
- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens
- Scope Types
project
List OAUTH1 access tokens for user.
identity:list_access_token_roles
- Default
rule:admin_required
- Operations
GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
- Scope Types
project
List OAUTH1 access token roles.
identity:delete_access_token
- Default
rule:admin_required
- Operations
DELETE
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
- Scope Types
project
Delete OAUTH1 access token.
identity:get_application_credential
- Default
(role:reader and system_scope:all) or rule:owner
- Operations
GET
/v3/users/{user_id}/application_credentials/{application_credential_id}
HEAD
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types
system
project
Show application credential details.
identity:list_application_credentials
- Default
(role:reader and system_scope:all) or rule:owner
- Operations
GET
/v3/users/{user_id}/application_credentials
HEAD
/v3/users/{user_id}/application_credentials
- Scope Types
system
project
List application credentials for a user.
identity:create_application_credential
- Default
user_id:%(user_id)s
- Operations
POST
/v3/users/{user_id}/application_credentials
- Scope Types
project
Create an application credential.
identity:delete_application_credential
- Default
(role:admin and system_scope:all) or rule:owner
- Operations
DELETE
/v3/users/{user_id}/application_credentials/{application_credential_id}
- Scope Types
system
project
Delete an application credential.
identity:get_auth_catalog
- Default
<empty string>
- Operations
GET
/v3/auth/catalog
HEAD
/v3/auth/catalog
Get service catalog.
identity:get_auth_projects
- Default
<empty string>
- Operations
GET
/v3/auth/projects
HEAD
/v3/auth/projects
List all projects a user has access to via role assignments.
identity:get_auth_domains
- Default
<empty string>
- Operations
GET
/v3/auth/domains
HEAD
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:get_auth_system
- Default
<empty string>
- Operations
GET
/v3/auth/system
HEAD
/v3/auth/system
List systems a user has access to via role assignments.
identity:get_consumer
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types
system
Show OAUTH1 consumer details.
identity:list_consumers
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-OAUTH1/consumers
- Scope Types
system
List OAUTH1 consumers.
identity:create_consumer
- Default
role:admin and system_scope:all
- Operations
POST
/v3/OS-OAUTH1/consumers
- Scope Types
system
Create OAUTH1 consumer.
identity:update_consumer
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types
system
Update OAUTH1 consumer.
identity:delete_consumer
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-OAUTH1/consumers/{consumer_id}
- Scope Types
system
Delete OAUTH1 consumer.
identity:get_credential
- Default
(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
GET
/v3/credentials/{credential_id}
- Scope Types
system
project
Show credentials details.
identity:list_credentials
- Default
(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
GET
/v3/credentials
- Scope Types
system
project
List credentials.
identity:create_credential
- Default
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
POST
/v3/credentials
- Scope Types
system
project
Create credential.
identity:update_credential
- Default
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
PATCH
/v3/credentials/{credential_id}
- Scope Types
system
project
Update credential.
identity:delete_credential
- Default
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
DELETE
/v3/credentials/{credential_id}
- Scope Types
system
project
Delete credential.
identity:get_domain
- Default
(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s
- Operations
GET
/v3/domains/{domain_id}
- Scope Types
system
domain
project
Show domain details.
identity:list_domains
- Default
role:reader and system_scope:all
- Operations
GET
/v3/domains
- Scope Types
system
List domains.
identity:create_domain
- Default
role:admin and system_scope:all
- Operations
POST
/v3/domains
- Scope Types
system
Create domain.
identity:update_domain
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/domains/{domain_id}
- Scope Types
system
Update domain.
identity:delete_domain
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/domains/{domain_id}
- Scope Types
system
Delete domain.
identity:create_domain_config
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/domains/{domain_id}/config
- Scope Types
system
Create domain configuration.
identity:get_domain_config
- Default
role:reader and system_scope:all
- Operations
GET
/v3/domains/{domain_id}/config
HEAD
/v3/domains/{domain_id}/config
GET
/v3/domains/{domain_id}/config/{group}
HEAD
/v3/domains/{domain_id}/config/{group}
GET
/v3/domains/{domain_id}/config/{group}/{option}
HEAD
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types
system
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
identity:get_security_compliance_domain_config
- Default
<empty string>
- Operations
GET
/v3/domains/{domain_id}/config/security_compliance
HEAD
/v3/domains/{domain_id}/config/security_compliance
GET
/v3/domains/{domain_id}/config/security_compliance/{option}
HEAD
/v3/domains/{domain_id}/config/security_compliance/{option}
- Scope Types
system
domain
project
Get security compliance domain configuration for either a domain or a specific option in a domain.
identity:update_domain_config
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/domains/{domain_id}/config
PATCH
/v3/domains/{domain_id}/config/{group}
PATCH
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types
system
Update domain configuration for either a domain, specific group or a specific option in a group.
identity:delete_domain_config
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/domains/{domain_id}/config
DELETE
/v3/domains/{domain_id}/config/{group}
DELETE
/v3/domains/{domain_id}/config/{group}/{option}
- Scope Types
system
Delete domain configuration for either a domain, specific group or a specific option in a group.
identity:get_domain_config_default
- Default
role:reader and system_scope:all
- Operations
GET
/v3/domains/config/default
HEAD
/v3/domains/config/default
GET
/v3/domains/config/{group}/default
HEAD
/v3/domains/config/{group}/default
GET
/v3/domains/config/{group}/{option}/default
HEAD
/v3/domains/config/{group}/{option}/default
- Scope Types
system
Get domain configuration default for either a domain, specific group or a specific option in a group.
identity:ec2_get_credential
- Default
(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
GET
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types
system
project
Show ec2 credential details.
identity:ec2_list_credentials
- Default
(role:reader and system_scope:all) or rule:owner
- Operations
GET
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types
system
project
List ec2 credentials.
identity:ec2_create_credential
- Default
(role:admin and system_scope:all) or rule:owner
- Operations
POST
/v3/users/{user_id}/credentials/OS-EC2
- Scope Types
system
project
Create ec2 credential.
identity:ec2_delete_credential
- Default
(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
- Operations
DELETE
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
- Scope Types
system
project
Delete ec2 credential.
identity:get_endpoint
- Default
role:reader and system_scope:all
- Operations
GET
/v3/endpoints/{endpoint_id}
- Scope Types
system
Show endpoint details.
identity:list_endpoints
- Default
role:reader and system_scope:all
- Operations
GET
/v3/endpoints
- Scope Types
system
List endpoints.
identity:create_endpoint
- Default
role:admin and system_scope:all
- Operations
POST
/v3/endpoints
- Scope Types
system
Create endpoint.
identity:update_endpoint
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/endpoints/{endpoint_id}
- Scope Types
system
Update endpoint.
identity:delete_endpoint
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/endpoints/{endpoint_id}
- Scope Types
system
Delete endpoint.
identity:create_endpoint_group
- Default
role:admin and system_scope:all
- Operations
POST
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types
system
Create endpoint group.
identity:list_endpoint_groups
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups
- Scope Types
system
List endpoint groups.
identity:get_endpoint_group
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types
system
Get endpoint group.
identity:update_endpoint_group
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types
system
Update endpoint group.
identity:delete_endpoint_group
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- Scope Types
system
Delete endpoint group.
identity:list_projects_associated_with_endpoint_group
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
- Scope Types
system
List all projects associated with a specific endpoint group.
identity:list_endpoints_associated_with_endpoint_group
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
- Scope Types
system
List all endpoints associated with an endpoint group.
identity:get_endpoint_group_in_project
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types
system
Check if an endpoint group is associated with a project.
identity:list_endpoint_groups_for_project
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
- Scope Types
system
List endpoint groups associated with a specific project.
identity:add_endpoint_group_to_project
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types
system
Allow a project to access an endpoint group.
identity:remove_endpoint_group_from_project
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- Scope Types
system
Remove endpoint group from project.
identity:check_grant
- Default
(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)
- Operations
HEAD
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
GET
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
HEAD
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
GET
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
HEAD
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
GET
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
GET
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
HEAD
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types
system
domain
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:list_grants
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)
- Operations
GET
/v3/projects/{project_id}/users/{user_id}/roles
HEAD
/v3/projects/{project_id}/users/{user_id}/roles
GET
/v3/projects/{project_id}/groups/{group_id}/roles
HEAD
/v3/projects/{project_id}/groups/{group_id}/roles
GET
/v3/domains/{domain_id}/users/{user_id}/roles
HEAD
/v3/domains/{domain_id}/users/{user_id}/roles
GET
/v3/domains/{domain_id}/groups/{group_id}/roles
HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles
GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
- Scope Types
system
domain
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
identity:create_grant
- Default
(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)
- Operations
PUT
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
PUT
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
PUT
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
PUT
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
PUT
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types
system
domain
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:revoke_grant
- Default
(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)
- Operations
DELETE
/v3/projects/{project_id}/users/{user_id}/roles/{role_id}
DELETE
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
DELETE
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
DELETE
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
DELETE
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- Scope Types
system
domain
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
identity:list_system_grants_for_user
- Default
role:reader and system_scope:all
- Operations
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles
- Scope Types
system
List all grants a specific user has on the system.
identity:check_system_grant_for_user
- Default
role:reader and system_scope:all
- Operations
[‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types
system
Check if a user has a role on the system.
identity:create_system_grant_for_user
- Default
role:admin and system_scope:all
- Operations
[‘PUT’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types
system
Grant a user a role on the system.
identity:revoke_system_grant_for_user
- Default
role:admin and system_scope:all
- Operations
[‘DELETE’]
/v3/system/users/{user_id}/roles/{role_id}
- Scope Types
system
Remove a role from a user on the system.
identity:list_system_grants_for_group
- Default
role:reader and system_scope:all
- Operations
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles
- Scope Types
system
List all grants a specific group has on the system.
identity:check_system_grant_for_group
- Default
role:reader and system_scope:all
- Operations
[‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types
system
Check if a group has a role on the system.
identity:create_system_grant_for_group
- Default
role:admin and system_scope:all
- Operations
[‘PUT’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types
system
Grant a group a role on the system.
identity:revoke_system_grant_for_group
- Default
role:admin and system_scope:all
- Operations
[‘DELETE’]
/v3/system/groups/{group_id}/roles/{role_id}
- Scope Types
system
Remove a role from a group on the system.
identity:get_group
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations
GET
/v3/groups/{group_id}
HEAD
/v3/groups/{group_id}
- Scope Types
system
domain
Show group details.
identity:list_groups
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations
GET
/v3/groups
HEAD
/v3/groups
- Scope Types
system
domain
List groups.
identity:list_groups_for_user
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s
- Operations
GET
/v3/users/{user_id}/groups
HEAD
/v3/users/{user_id}/groups
- Scope Types
system
domain
project
List groups to which a user belongs.
identity:create_group
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
- Operations
POST
/v3/groups
- Scope Types
system
domain
Create group.
identity:update_group
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
- Operations
PATCH
/v3/groups/{group_id}
- Scope Types
system
domain
Update group.
identity:delete_group
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
- Operations
DELETE
/v3/groups/{group_id}
- Scope Types
system
domain
Delete group.
identity:list_users_in_group
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
- Operations
GET
/v3/groups/{group_id}/users
HEAD
/v3/groups/{group_id}/users
- Scope Types
system
domain
List members of a specific group.
identity:remove_user_from_group
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations
DELETE
/v3/groups/{group_id}/users/{user_id}
- Scope Types
system
domain
Remove user from group.
identity:check_user_in_group
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations
HEAD
/v3/groups/{group_id}/users/{user_id}
GET
/v3/groups/{group_id}/users/{user_id}
- Scope Types
system
domain
Check whether a user is a member of a group.
identity:add_user_to_group
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
- Operations
PUT
/v3/groups/{group_id}/users/{user_id}
- Scope Types
system
domain
Add user to group.
identity:create_identity_provider
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
Create identity provider.
identity:list_identity_providers
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/identity_providers
HEAD
/v3/OS-FEDERATION/identity_providers
- Scope Types
system
List identity providers.
identity:get_identity_provider
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}
HEAD
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
Get identity provider.
identity:update_identity_provider
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
Update identity provider.
identity:delete_identity_provider
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}
- Scope Types
system
Delete identity provider.
identity:get_implied_role
- Default
role:reader and system_scope:all
- Operations
GET
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:list_implied_roles
- Default
role:reader and system_scope:all
- Operations
GET
/v3/roles/{prior_role_id}/implies
HEAD
/v3/roles/{prior_role_id}/implies
- Scope Types
system
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
identity:create_implied_role
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:delete_implied_role
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
identity:list_role_inference_rules
- Default
role:reader and system_scope:all
- Operations
GET
/v3/role_inferences
HEAD
/v3/role_inferences
- Scope Types
system
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:check_implied_role
- Default
role:reader and system_scope:all
- Operations
HEAD
/v3/roles/{prior_role_id}/implies/{implied_role_id}
- Scope Types
system
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:get_limit_model
- Default
<empty string>
- Operations
GET
/v3/limits/model
HEAD
/v3/limits/model
- Scope Types
system
domain
project
Get limit enforcement model.
identity:get_limit
- Default
(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)
- Operations
GET
/v3/limits/{limit_id}
HEAD
/v3/limits/{limit_id}
- Scope Types
system
domain
project
Show limit details.
identity:list_limits
- Default
<empty string>
- Operations
GET
/v3/limits
HEAD
/v3/limits
- Scope Types
system
domain
project
List limits.
identity:create_limits
- Default
role:admin and system_scope:all
- Operations
POST
/v3/limits
- Scope Types
system
Create limits.
identity:update_limit
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/limits/{limit_id}
- Scope Types
system
Update limit.
identity:delete_limit
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/limits/{limit_id}
- Scope Types
system
Delete limit.
identity:create_mapping
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
Create a new federated mapping containing one or more sets of rules.
identity:get_mapping
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/mappings/{mapping_id}
HEAD
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
Get a federated mapping.
identity:list_mappings
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/mappings
HEAD
/v3/OS-FEDERATION/mappings
- Scope Types
system
List federated mappings.
identity:delete_mapping
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
Delete a federated mapping.
identity:update_mapping
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/OS-FEDERATION/mappings/{mapping_id}
- Scope Types
system
Update a federated mapping.
identity:get_policy
- Default
role:reader and system_scope:all
- Operations
GET
/v3/policies/{policy_id}
- Scope Types
system
Show policy details.
identity:list_policies
- Default
role:reader and system_scope:all
- Operations
GET
/v3/policies
- Scope Types
system
List policies.
identity:create_policy
- Default
role:admin and system_scope:all
- Operations
POST
/v3/policies
- Scope Types
system
Create policy.
identity:update_policy
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/policies/{policy_id}
- Scope Types
system
Update policy.
identity:delete_policy
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/policies/{policy_id}
- Scope Types
system
Delete policy.
identity:create_policy_association_for_endpoint
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types
system
Associate a policy to a specific endpoint.
identity:check_policy_association_for_endpoint
- Default
role:reader and system_scope:all
- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types
system
Check policy association for endpoint.
identity:delete_policy_association_for_endpoint
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- Scope Types
system
Delete policy association for endpoint.
identity:create_policy_association_for_service
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types
system
Associate a policy to a specific service.
identity:check_policy_association_for_service
- Default
role:reader and system_scope:all
- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types
system
Check policy association for service.
identity:delete_policy_association_for_service
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- Scope Types
system
Delete policy association for service.
identity:create_policy_association_for_region_and_service
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types
system
Associate a policy to a specific region and service combination.
identity:check_policy_association_for_region_and_service
- Default
role:reader and system_scope:all
- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types
system
Check policy association for region and service.
identity:delete_policy_association_for_region_and_service
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- Scope Types
system
Delete policy association for region and service.
identity:get_policy_for_endpoint
- Default
role:reader and system_scope:all
- Operations
GET
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
HEAD
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
- Scope Types
system
Get policy for endpoint.
identity:list_endpoints_for_policy
- Default
role:reader and system_scope:all
- Operations
GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
- Scope Types
system
List endpoints for policy.
identity:get_project
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations
GET
/v3/projects/{project_id}
- Scope Types
system
domain
project
Show project details.
identity:list_projects
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations
GET
/v3/projects
- Scope Types
system
domain
List projects.
identity:list_user_projects
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
- Operations
GET
/v3/users/{user_id}/projects
- Scope Types
system
domain
project
List projects for user.
identity:create_project
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
- Operations
POST
/v3/projects
- Scope Types
system
domain
Create project.
identity:update_project
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
- Operations
PATCH
/v3/projects/{project_id}
- Scope Types
system
domain
Update project.
identity:delete_project
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
- Operations
DELETE
/v3/projects/{project_id}
- Scope Types
system
domain
Delete project.
identity:list_project_tags
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations
GET
/v3/projects/{project_id}/tags
HEAD
/v3/projects/{project_id}/tags
- Scope Types
system
domain
project
List tags for a project.
identity:get_project_tag
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
- Operations
GET
/v3/projects/{project_id}/tags/{value}
HEAD
/v3/projects/{project_id}/tags/{value}
- Scope Types
system
domain
project
Check if project contains a tag.
identity:update_project_tags
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations
PUT
/v3/projects/{project_id}/tags
- Scope Types
system
domain
project
Replace all tags on a project with the new set of tags.
identity:create_project_tag
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations
PUT
/v3/projects/{project_id}/tags/{value}
- Scope Types
system
domain
project
Add a single tag to a project.
identity:delete_project_tags
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations
DELETE
/v3/projects/{project_id}/tags
- Scope Types
system
domain
project
Remove all tags from a project.
identity:delete_project_tag
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations
DELETE
/v3/projects/{project_id}/tags/{value}
- Scope Types
system
domain
project
Delete a specified tag from project.
identity:list_projects_for_endpoint
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
- Scope Types
system
List projects allowed to access an endpoint.
identity:add_endpoint_to_project
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types
system
Allow project to access an endpoint.
identity:check_endpoint_in_project
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
HEAD
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types
system
Check if a project is allowed to access an endpoint.
identity:list_endpoints_for_project
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints
- Scope Types
system
List the endpoints a project is allowed to access.
identity:remove_endpoint_from_project
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- Scope Types
system
Remove access to an endpoint from a project that has previously been given explicit access.
identity:create_protocol
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
Create federated protocol.
identity:update_protocol
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
Update federated protocol.
identity:get_protocol
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
Get federated protocol.
identity:list_protocols
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
- Scope Types
system
List federated protocols.
identity:delete_protocol
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
- Scope Types
system
Delete federated protocol.
identity:get_region
- Default
<empty string>
- Operations
GET
/v3/regions/{region_id}
HEAD
/v3/regions/{region_id}
- Scope Types
system
domain
project
Show region details.
identity:list_regions
- Default
<empty string>
- Operations
GET
/v3/regions
HEAD
/v3/regions
- Scope Types
system
domain
project
List regions.
identity:create_region
- Default
role:admin and system_scope:all
- Operations
POST
/v3/regions
PUT
/v3/regions/{region_id}
- Scope Types
system
Create region.
identity:update_region
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/regions/{region_id}
- Scope Types
system
Update region.
identity:delete_region
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/regions/{region_id}
- Scope Types
system
Delete region.
identity:get_registered_limit
- Default
<empty string>
- Operations
GET
/v3/registered_limits/{registered_limit_id}
HEAD
/v3/registered_limits/{registered_limit_id}
- Scope Types
system
domain
project
Show registered limit details.
identity:list_registered_limits
- Default
<empty string>
- Operations
GET
/v3/registered_limits
HEAD
/v3/registered_limits
- Scope Types
system
domain
project
List registered limits.
identity:create_registered_limits
- Default
role:admin and system_scope:all
- Operations
POST
/v3/registered_limits
- Scope Types
system
Create registered limits.
identity:update_registered_limit
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/registered_limits/{registered_limit_id}
- Scope Types
system
Update registered limit.
identity:delete_registered_limit
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/registered_limits/{registered_limit_id}
- Scope Types
system
Delete registered limit.
identity:list_revoke_events
- Default
rule:service_or_admin
- Operations
GET
/v3/OS-REVOKE/events
- Scope Types
system
List revocation events.
identity:get_role
- Default
role:reader and system_scope:all
- Operations
GET
/v3/roles/{role_id}
HEAD
/v3/roles/{role_id}
- Scope Types
system
Show role details.
identity:list_roles
- Default
role:reader and system_scope:all
- Operations
GET
/v3/roles
HEAD
/v3/roles
- Scope Types
system
List roles.
identity:create_role
- Default
role:admin and system_scope:all
- Operations
POST
/v3/roles
- Scope Types
system
Create role.
identity:update_role
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/roles/{role_id}
- Scope Types
system
Update role.
identity:delete_role
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/roles/{role_id}
- Scope Types
system
Delete role.
identity:get_domain_role
- Default
role:reader and system_scope:all
- Operations
GET
/v3/roles/{role_id}
HEAD
/v3/roles/{role_id}
- Scope Types
system
Show domain role.
identity:list_domain_roles
- Default
role:reader and system_scope:all
- Operations
GET
/v3/roles?domain_id={domain_id}
HEAD
/v3/roles?domain_id={domain_id}
- Scope Types
system
List domain roles.
identity:create_domain_role
- Default
role:admin and system_scope:all
- Operations
POST
/v3/roles
- Scope Types
system
Create domain role.
identity:update_domain_role
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/roles/{role_id}
- Scope Types
system
Update domain role.
identity:delete_domain_role
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/roles/{role_id}
- Scope Types
system
Delete domain role.
identity:list_role_assignments
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations
GET
/v3/role_assignments
HEAD
/v3/role_assignments
- Scope Types
system
domain
List role assignments.
identity:list_role_assignments_for_tree
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)
- Operations
GET
/v3/role_assignments?include_subtree
HEAD
/v3/role_assignments?include_subtree
- Scope Types
system
domain
project
List all role assignments for a given tree of hierarchical projects.
identity:get_service
- Default
role:reader and system_scope:all
- Operations
GET
/v3/services/{service_id}
- Scope Types
system
Show service details.
identity:list_services
- Default
role:reader and system_scope:all
- Operations
GET
/v3/services
- Scope Types
system
List services.
identity:create_service
- Default
role:admin and system_scope:all
- Operations
POST
/v3/services
- Scope Types
system
Create service.
identity:update_service
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/services/{service_id}
- Scope Types
system
Update service.
identity:delete_service
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/services/{service_id}
- Scope Types
system
Delete service.
identity:create_service_provider
- Default
role:admin and system_scope:all
- Operations
PUT
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
Create federated service provider.
identity:list_service_providers
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/service_providers
HEAD
/v3/OS-FEDERATION/service_providers
- Scope Types
system
List federated service providers.
identity:get_service_provider
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-FEDERATION/service_providers/{service_provider_id}
HEAD
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
Get federated service provider.
identity:update_service_provider
- Default
role:admin and system_scope:all
- Operations
PATCH
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
Update federated service provider.
identity:delete_service_provider
- Default
role:admin and system_scope:all
- Operations
DELETE
/v3/OS-FEDERATION/service_providers/{service_provider_id}
- Scope Types
system
Delete federated service provider.
identity:revocation_list
- Default
rule:service_or_admin
- Operations
GET
/v3/auth/tokens/OS-PKI/revoked
- Scope Types
system
project
List revoked PKI tokens.
identity:check_token
- Default
(role:reader and system_scope:all) or rule:token_subject
- Operations
HEAD
/v3/auth/tokens
- Scope Types
system
domain
project
Check a token.
identity:validate_token
- Default
(role:reader and system_scope:all) or rule:service_role or rule:token_subject
- Operations
GET
/v3/auth/tokens
- Scope Types
system
domain
project
Validate a token.
identity:revoke_token
- Default
(role:admin and system_scope:all) or rule:token_subject
- Operations
DELETE
/v3/auth/tokens
- Scope Types
system
domain
project
Revoke a token.
identity:create_trust
- Default
user_id:%(trust.trustor_user_id)s
- Operations
POST
/v3/OS-TRUST/trusts
- Scope Types
project
Create trust.
identity:list_trusts
- Default
role:reader and system_scope:all
- Operations
GET
/v3/OS-TRUST/trusts
HEAD
/v3/OS-TRUST/trusts
- Scope Types
system
List trusts.
identity:list_trusts_for_trustor
- Default
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
- Operations
GET
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
HEAD
/v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
- Scope Types
system
project
List trusts for trustor.
identity:list_trusts_for_trustee
- Default
role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s
- Operations
GET
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
HEAD
/v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
- Scope Types
system
project
List trusts for trustee.
identity:list_roles_for_trust
- Default
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
- Operations
GET
/v3/OS-TRUST/trusts/{trust_id}/roles
HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles
- Scope Types
system
project
List roles delegated by a trust.
identity:get_role_for_trust
- Default
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
- Operations
GET
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
- Scope Types
system
project
Check if trust delegates a particular role.
identity:delete_trust
- Default
role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s
- Operations
DELETE
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types
system
project
Revoke trust.
identity:get_trust
- Default
role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
- Operations
GET
/v3/OS-TRUST/trusts/{trust_id}
HEAD
/v3/OS-TRUST/trusts/{trust_id}
- Scope Types
system
project
Get trust.
identity:get_user
- Default
(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
- Operations
GET
/v3/users/{user_id}
HEAD
/v3/users/{user_id}
- Scope Types
system
domain
project
Show user details.
identity:list_users
- Default
(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
- Operations
GET
/v3/users
HEAD
/v3/users
- Scope Types
system
domain
List users.
identity:list_projects_for_user
- Default
<empty string>
- Operations
GET `` /v3/auth/projects``
List all projects a user has access to via role assignments.
identity:list_domains_for_user
- Default
<empty string>
- Operations
GET
/v3/auth/domains
List all domains a user has access to via role assignments.
identity:create_user
- Default
(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
- Operations
POST
/v3/users
- Scope Types
system
domain
Create a user.
identity:update_user
- Default
(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
- Operations
PATCH
/v3/users/{user_id}
- Scope Types
system
domain
Update a user, including administrative password resets.
identity:delete_user
- Default
(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
- Operations
DELETE
/v3/users/{user_id}
- Scope Types
system
domain
Delete a user.