#"admin_required": "role:admin or is_admin:1" #"service_role": "role:service" #"service_or_admin": "rule:admin_required or rule:service_role" #"owner": "user_id:%(user_id)s" #"admin_or_owner": "rule:admin_required or rule:owner" #"token_subject": "user_id:%(target.token.user_id)s" #"admin_or_token_subject": "rule:admin_required or rule:token_subject" #"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" # Show access rule details. # GET /v3/users/{user_id}/access_rules/{access_rule_id} # HEAD /v3/users/{user_id}/access_rules/{access_rule_id} # Intended scope(s): system, project #"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" # List access rules for a user. # GET /v3/users/{user_id}/access_rules # HEAD /v3/users/{user_id}/access_rules # Intended scope(s): system, project #"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" # Delete an access_rule. # DELETE /v3/users/{user_id}/access_rules/{access_rule_id} # Intended scope(s): system, project #"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s" # Authorize OAUTH1 request token. # PUT /v3/OS-OAUTH1/authorize/{request_token_id} # Intended scope(s): project #"identity:authorize_request_token": "rule:admin_required" # Get OAUTH1 access token for user by access token ID. # GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} # Intended scope(s): project #"identity:get_access_token": "rule:admin_required" # Get role for user OAUTH1 access token. # GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} # Intended scope(s): project #"identity:get_access_token_role": "rule:admin_required" # List OAUTH1 access tokens for user. # GET /v3/users/{user_id}/OS-OAUTH1/access_tokens # Intended scope(s): project #"identity:list_access_tokens": "rule:admin_required" # List OAUTH1 access token roles. # GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles # Intended scope(s): project #"identity:list_access_token_roles": "rule:admin_required" # Delete OAUTH1 access token. # DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} # Intended scope(s): project #"identity:delete_access_token": "rule:admin_required" # Show application credential details. # GET /v3/users/{user_id}/application_credentials/{application_credential_id} # HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} # Intended scope(s): system, project #"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" # DEPRECATED # "identity:get_application_credential":"rule:admin_or_owner" has been # deprecated since T in favor of # "identity:get_application_credential":"(role:reader and # system_scope:all) or rule:owner". # The application credential API is now aware of system scope and # default roles. # List application credentials for a user. # GET /v3/users/{user_id}/application_credentials # HEAD /v3/users/{user_id}/application_credentials # Intended scope(s): system, project #"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner" # DEPRECATED # "identity:list_application_credentials":"rule:admin_or_owner" has # been deprecated since T in favor of # "identity:list_application_credentials":"(role:reader and # system_scope:all) or rule:owner". # The application credential API is now aware of system scope and # default roles. # Create an application credential. # POST /v3/users/{user_id}/application_credentials # Intended scope(s): project #"identity:create_application_credential": "user_id:%(user_id)s" # Delete an application credential. # DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} # Intended scope(s): system, project #"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" # DEPRECATED # "identity:delete_application_credential":"rule:admin_or_owner" has # been deprecated since T in favor of # "identity:delete_application_credential":"(role:admin and # system_scope:all) or rule:owner". # The application credential API is now aware of system scope and # default roles. # Get service catalog. # GET /v3/auth/catalog # HEAD /v3/auth/catalog #"identity:get_auth_catalog": "" # List all projects a user has access to via role assignments. # GET /v3/auth/projects # HEAD /v3/auth/projects #"identity:get_auth_projects": "" # List all domains a user has access to via role assignments. # GET /v3/auth/domains # HEAD /v3/auth/domains #"identity:get_auth_domains": "" # List systems a user has access to via role assignments. # GET /v3/auth/system # HEAD /v3/auth/system #"identity:get_auth_system": "" # Show OAUTH1 consumer details. # GET /v3/OS-OAUTH1/consumers/{consumer_id} # Intended scope(s): system, project #"identity:get_consumer": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_consumer":"rule:admin_required" has been deprecated # since T in favor of "identity:get_consumer":"rule:admin_required or # (role:reader and system_scope:all)". # The OAUTH1 consumer API is now aware of system scope and default # roles. # List OAUTH1 consumers. # GET /v3/OS-OAUTH1/consumers # Intended scope(s): system, project #"identity:list_consumers": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_consumers":"rule:admin_required" has been deprecated # since T in favor of "identity:list_consumers":"rule:admin_required # or (role:reader and system_scope:all)". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Create OAUTH1 consumer. # POST /v3/OS-OAUTH1/consumers # Intended scope(s): system, project #"identity:create_consumer": "rule:admin_required" # DEPRECATED # "identity:create_consumer":"rule:admin_required" has been deprecated # since T in favor of # "identity:create_consumer":"rule:admin_required". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Update OAUTH1 consumer. # PATCH /v3/OS-OAUTH1/consumers/{consumer_id} # Intended scope(s): system, project #"identity:update_consumer": "rule:admin_required" # DEPRECATED # "identity:update_consumer":"rule:admin_required" has been deprecated # since T in favor of # "identity:update_consumer":"rule:admin_required". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Delete OAUTH1 consumer. # DELETE /v3/OS-OAUTH1/consumers/{consumer_id} # Intended scope(s): system, project #"identity:delete_consumer": "rule:admin_required" # DEPRECATED # "identity:delete_consumer":"rule:admin_required" has been deprecated # since T in favor of # "identity:delete_consumer":"rule:admin_required". # The OAUTH1 consumer API is now aware of system scope and default # roles. # Show credentials details. # GET /v3/credentials/{credential_id} # Intended scope(s): system, project #"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:get_credential":"rule:admin_required" has been deprecated # since S in favor of "identity:get_credential":"(role:reader and # system_scope:all) or user_id:%(target.credential.user_id)s". # The credential API is now aware of system scope and default roles. # List credentials. # GET /v3/credentials # Intended scope(s): system, project #"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:list_credentials":"rule:admin_required" has been # deprecated since S in favor of # "identity:list_credentials":"(role:reader and system_scope:all) or # user_id:%(target.credential.user_id)s". # The credential API is now aware of system scope and default roles. # Create credential. # POST /v3/credentials # Intended scope(s): system, project #"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:create_credential":"rule:admin_required" has been # deprecated since S in favor of # "identity:create_credential":"(role:admin and system_scope:all) or # user_id:%(target.credential.user_id)s". # The credential API is now aware of system scope and default roles. # Update credential. # PATCH /v3/credentials/{credential_id} # Intended scope(s): system, project #"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:update_credential":"rule:admin_required" has been # deprecated since S in favor of # "identity:update_credential":"(role:admin and system_scope:all) or # user_id:%(target.credential.user_id)s". # The credential API is now aware of system scope and default roles. # Delete credential. # DELETE /v3/credentials/{credential_id} # Intended scope(s): system, project #"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:delete_credential":"rule:admin_required" has been # deprecated since S in favor of # "identity:delete_credential":"(role:admin and system_scope:all) or # user_id:%(target.credential.user_id)s". # The credential API is now aware of system scope and default roles. # Show domain details. # GET /v3/domains/{domain_id} # Intended scope(s): system, domain, project #"identity:get_domain": "rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" # DEPRECATED # "identity:get_domain":"rule:admin_required or # token.project.domain.id:%(target.domain.id)s" has been deprecated # since S in favor of "identity:get_domain":"rule:admin_required or # (role:reader and system_scope:all) or # token.domain.id:%(target.domain.id)s or # token.project.domain.id:%(target.domain.id)s". # The domain API is now aware of system scope and default roles. # List domains. # GET /v3/domains # Intended scope(s): system, domain, project #"identity:list_domains": "rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)" # DEPRECATED # "identity:list_domains":"rule:admin_required" has been deprecated # since S in favor of "identity:list_domains":"rule:admin_required or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain.id)s)". # The domain API is now aware of system scope and default roles. # Create domain. # POST /v3/domains # Intended scope(s): system, project #"identity:create_domain": "rule:admin_required" # DEPRECATED # "identity:create_domain":"rule:admin_required" has been deprecated # since S in favor of "identity:create_domain":"rule:admin_required". # The domain API is now aware of system scope and default roles. # Update domain. # PATCH /v3/domains/{domain_id} # Intended scope(s): system, project #"identity:update_domain": "rule:admin_required" # DEPRECATED # "identity:update_domain":"rule:admin_required" has been deprecated # since S in favor of "identity:update_domain":"rule:admin_required". # The domain API is now aware of system scope and default roles. # Delete domain. # DELETE /v3/domains/{domain_id} # Intended scope(s): system, project #"identity:delete_domain": "rule:admin_required" # DEPRECATED # "identity:delete_domain":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_domain":"rule:admin_required". # The domain API is now aware of system scope and default roles. # Create domain configuration. # PUT /v3/domains/{domain_id}/config # Intended scope(s): system, project #"identity:create_domain_config": "rule:admin_required" # DEPRECATED # "identity:create_domain_config":"rule:admin_required" has been # deprecated since T in favor of # "identity:create_domain_config":"rule:admin_required". # The domain config API is now aware of system scope and default # roles. # Get the entire domain configuration for a domain, an option group # within a domain, or a specific configuration option within a group # for a domain. # GET /v3/domains/{domain_id}/config # HEAD /v3/domains/{domain_id}/config # GET /v3/domains/{domain_id}/config/{group} # HEAD /v3/domains/{domain_id}/config/{group} # GET /v3/domains/{domain_id}/config/{group}/{option} # HEAD /v3/domains/{domain_id}/config/{group}/{option} # Intended scope(s): system, project #"identity:get_domain_config": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_domain_config":"rule:admin_required" has been # deprecated since T in favor of # "identity:get_domain_config":"rule:admin_required or (role:reader # and system_scope:all)". # The domain config API is now aware of system scope and default # roles. # Get security compliance domain configuration for either a domain or # a specific option in a domain. # GET /v3/domains/{domain_id}/config/security_compliance # HEAD /v3/domains/{domain_id}/config/security_compliance # GET /v3/domains/{domain_id}/config/security_compliance/{option} # HEAD /v3/domains/{domain_id}/config/security_compliance/{option} # Intended scope(s): system, domain, project #"identity:get_security_compliance_domain_config": "" # Update domain configuration for either a domain, specific group or a # specific option in a group. # PATCH /v3/domains/{domain_id}/config # PATCH /v3/domains/{domain_id}/config/{group} # PATCH /v3/domains/{domain_id}/config/{group}/{option} # Intended scope(s): system, project #"identity:update_domain_config": "rule:admin_required" # DEPRECATED # "identity:update_domain_config":"rule:admin_required" has been # deprecated since T in favor of # "identity:update_domain_config":"rule:admin_required". # The domain config API is now aware of system scope and default # roles. # Delete domain configuration for either a domain, specific group or a # specific option in a group. # DELETE /v3/domains/{domain_id}/config # DELETE /v3/domains/{domain_id}/config/{group} # DELETE /v3/domains/{domain_id}/config/{group}/{option} # Intended scope(s): system, project #"identity:delete_domain_config": "rule:admin_required" # DEPRECATED # "identity:delete_domain_config":"rule:admin_required" has been # deprecated since T in favor of # "identity:delete_domain_config":"rule:admin_required". # The domain config API is now aware of system scope and default # roles. # Get domain configuration default for either a domain, specific group # or a specific option in a group. # GET /v3/domains/config/default # HEAD /v3/domains/config/default # GET /v3/domains/config/{group}/default # HEAD /v3/domains/config/{group}/default # GET /v3/domains/config/{group}/{option}/default # HEAD /v3/domains/config/{group}/{option}/default # Intended scope(s): system, project #"identity:get_domain_config_default": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_domain_config_default":"rule:admin_required" has been # deprecated since T in favor of # "identity:get_domain_config_default":"rule:admin_required or # (role:reader and system_scope:all)". # The domain config API is now aware of system scope and default # roles. # Show ec2 credential details. # GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} # Intended scope(s): system, project #"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:ec2_get_credential":"rule:admin_required or (rule:owner # and user_id:%(target.credential.user_id)s)" has been deprecated # since T in favor of "identity:ec2_get_credential":"(role:reader and # system_scope:all) or user_id:%(target.credential.user_id)s". # The EC2 credential API is now aware of system scope and default # roles. # List ec2 credentials. # GET /v3/users/{user_id}/credentials/OS-EC2 # Intended scope(s): system, project #"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner" # DEPRECATED # "identity:ec2_list_credentials":"rule:admin_or_owner" has been # deprecated since T in favor of # "identity:ec2_list_credentials":"(role:reader and system_scope:all) # or rule:owner". # The EC2 credential API is now aware of system scope and default # roles. # Create ec2 credential. # POST /v3/users/{user_id}/credentials/OS-EC2 # Intended scope(s): system, project #"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" # DEPRECATED # "identity:ec2_create_credential":"rule:admin_or_owner" has been # deprecated since T in favor of # "identity:ec2_create_credential":"(role:admin and system_scope:all) # or rule:owner". # The EC2 credential API is now aware of system scope and default # roles. # Delete ec2 credential. # DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} # Intended scope(s): system, project #"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED # "identity:ec2_delete_credential":"rule:admin_required or (rule:owner # and user_id:%(target.credential.user_id)s)" has been deprecated # since T in favor of "identity:ec2_delete_credential":"(role:admin # and system_scope:all) or user_id:%(target.credential.user_id)s". # The EC2 credential API is now aware of system scope and default # roles. # Show endpoint details. # GET /v3/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:get_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_endpoint":"rule:admin_required" has been deprecated # since S in favor of "identity:get_endpoint":"rule:admin_required or # (role:reader and system_scope:all)". # The endpoint API is now aware of system scope and default roles. # List endpoints. # GET /v3/endpoints # Intended scope(s): system, project #"identity:list_endpoints": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints":"rule:admin_required" has been deprecated # since S in favor of "identity:list_endpoints":"rule:admin_required # or (role:reader and system_scope:all)". # The endpoint API is now aware of system scope and default roles. # Create endpoint. # POST /v3/endpoints # Intended scope(s): system, project #"identity:create_endpoint": "rule:admin_required" # DEPRECATED # "identity:create_endpoint":"rule:admin_required" has been deprecated # since S in favor of # "identity:create_endpoint":"rule:admin_required". # The endpoint API is now aware of system scope and default roles. # Update endpoint. # PATCH /v3/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:update_endpoint": "rule:admin_required" # DEPRECATED # "identity:update_endpoint":"rule:admin_required" has been deprecated # since S in favor of # "identity:update_endpoint":"rule:admin_required". # The endpoint API is now aware of system scope and default roles. # Delete endpoint. # DELETE /v3/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:delete_endpoint": "rule:admin_required" # DEPRECATED # "identity:delete_endpoint":"rule:admin_required" has been deprecated # since S in favor of # "identity:delete_endpoint":"rule:admin_required". # The endpoint API is now aware of system scope and default roles. # Create endpoint group. # POST /v3/OS-EP-FILTER/endpoint_groups # Intended scope(s): system, project #"identity:create_endpoint_group": "rule:admin_required" # DEPRECATED # "identity:create_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of # "identity:create_endpoint_group":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # List endpoint groups. # GET /v3/OS-EP-FILTER/endpoint_groups # Intended scope(s): system, project #"identity:list_endpoint_groups": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoint_groups":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_endpoint_groups":"rule:admin_required or (role:reader # and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Get endpoint group. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} # HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} # Intended scope(s): system, project #"identity:get_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of # "identity:get_endpoint_group":"rule:admin_required or (role:reader # and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Update endpoint group. # PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} # Intended scope(s): system, project #"identity:update_endpoint_group": "rule:admin_required" # DEPRECATED # "identity:update_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of # "identity:update_endpoint_group":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # Delete endpoint group. # DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} # Intended scope(s): system, project #"identity:delete_endpoint_group": "rule:admin_required" # DEPRECATED # "identity:delete_endpoint_group":"rule:admin_required" has been # deprecated since T in favor of # "identity:delete_endpoint_group":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # List all projects associated with a specific endpoint group. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects # Intended scope(s): system, project #"identity:list_projects_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_projects_associated_with_endpoint_group":"rule:admin_ # required" has been deprecated since T in favor of "identity:list_pro # jects_associated_with_endpoint_group":"rule:admin_required or # (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # List all endpoints associated with an endpoint group. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints # Intended scope(s): system, project #"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints_associated_with_endpoint_group":"rule:admin # _required" has been deprecated since T in favor of "identity:list_en # dpoints_associated_with_endpoint_group":"rule:admin_required or # (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Check if an endpoint group is associated with a project. # GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} # HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} # Intended scope(s): system, project #"identity:get_endpoint_group_in_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_endpoint_group_in_project":"rule:admin_required" has # been deprecated since T in favor of # "identity:get_endpoint_group_in_project":"rule:admin_required or # (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # List endpoint groups associated with a specific project. # GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups # Intended scope(s): system, project #"identity:list_endpoint_groups_for_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoint_groups_for_project":"rule:admin_required" # has been deprecated since T in favor of # "identity:list_endpoint_groups_for_project":"rule:admin_required or # (role:reader and system_scope:all)". # The endpoint groups API is now aware of system scope and default # roles. # Allow a project to access an endpoint group. # PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} # Intended scope(s): system, project #"identity:add_endpoint_group_to_project": "rule:admin_required" # DEPRECATED # "identity:add_endpoint_group_to_project":"rule:admin_required" has # been deprecated since T in favor of # "identity:add_endpoint_group_to_project":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # Remove endpoint group from project. # DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} # Intended scope(s): system, project #"identity:remove_endpoint_group_from_project": "rule:admin_required" # DEPRECATED # "identity:remove_endpoint_group_from_project":"rule:admin_required" # has been deprecated since T in favor of # "identity:remove_endpoint_group_from_project":"rule:admin_required". # The endpoint groups API is now aware of system scope and default # roles. # Check a role grant between a target and an actor. A target can be # either a domain or a project. An actor can be either a user or a # group. These terms also apply to the OS-INHERIT APIs, where grants # on the target are inherited to all projects in the subtree, if # applicable. # HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} # GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} # HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} # GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} # HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} # GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} # HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} # GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} # HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # Intended scope(s): system, domain, project #"identity:check_grant": "(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))" # DEPRECATED # "identity:check_grant":"rule:admin_required" has been deprecated # since S in favor of "identity:check_grant":"(rule:admin_required) or # ((role:reader and system_scope:all) or ((role:reader and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.domain.id)s) or (role:reader and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.domain.id)s)) and # (domain_id:%(target.role.domain_id)s or # None:%(target.role.domain_id)s))". # The assignment API is now aware of system scope and default roles. # List roles granted to an actor on a target. A target can be either a # domain or a project. An actor can be either a user or a group. For # the OS-INHERIT APIs, it is possible to list inherited role grants # for actors on domains, where grants are inherited to all projects in # the specified domain. # GET /v3/projects/{project_id}/users/{user_id}/roles # HEAD /v3/projects/{project_id}/users/{user_id}/roles # GET /v3/projects/{project_id}/groups/{group_id}/roles # HEAD /v3/projects/{project_id}/groups/{group_id}/roles # GET /v3/domains/{domain_id}/users/{user_id}/roles # HEAD /v3/domains/{domain_id}/users/{user_id}/roles # GET /v3/domains/{domain_id}/groups/{group_id}/roles # HEAD /v3/domains/{domain_id}/groups/{group_id}/roles # GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects # GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects # Intended scope(s): system, domain, project #"identity:list_grants": "(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))" # DEPRECATED # "identity:list_grants":"rule:admin_required" has been deprecated # since S in favor of "identity:list_grants":"(rule:admin_required) or # ((role:reader and system_scope:all) or (role:reader and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.domain.id)s) or (role:reader and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:reader and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.domain.id)s))". # The assignment API is now aware of system scope and default roles. # Create a role grant between a target and an actor. A target can be # either a domain or a project. An actor can be either a user or a # group. These terms also apply to the OS-INHERIT APIs, where grants # on the target are inherited to all projects in the subtree, if # applicable. # PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} # PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} # PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} # PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} # PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # Intended scope(s): system, domain, project #"identity:create_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" # DEPRECATED # "identity:create_grant":"rule:admin_required" has been deprecated # since S in favor of "identity:create_grant":"(rule:admin_required) # or ((role:admin and domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:admin and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.domain.id)s) or (role:admin and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:admin and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.domain.id)s)) and # (domain_id:%(target.role.domain_id)s or # None:%(target.role.domain_id)s)". # The assignment API is now aware of system scope and default roles. # Revoke a role grant between a target and an actor. A target can be # either a domain or a project. An actor can be either a user or a # group. These terms also apply to the OS-INHERIT APIs, where grants # on the target are inherited to all projects in the subtree, if # applicable. In that case, revoking the role grant in the target # would remove the logical effect of inheriting it to the target's # projects subtree. # DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} # DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} # DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} # DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} # DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects # DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects # Intended scope(s): system, domain, project #"identity:revoke_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" # DEPRECATED # "identity:revoke_grant":"rule:admin_required" has been deprecated # since S in favor of "identity:revoke_grant":"(rule:admin_required) # or ((role:admin and domain_id:%(target.user.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:admin and # domain_id:%(target.user.domain_id)s and # domain_id:%(target.domain.id)s) or (role:admin and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.project.domain_id)s) or (role:admin and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.domain.id)s)) and # (domain_id:%(target.role.domain_id)s or # None:%(target.role.domain_id)s)". # The assignment API is now aware of system scope and default roles. # List all grants a specific user has on the system. # ['HEAD', 'GET'] /v3/system/users/{user_id}/roles # Intended scope(s): system, project #"identity:list_system_grants_for_user": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_system_grants_for_user":"rule:admin_required" has # been deprecated since S in favor of # "identity:list_system_grants_for_user":"rule:admin_required or # (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Check if a user has a role on the system. # ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} # Intended scope(s): system, project #"identity:check_system_grant_for_user": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_system_grant_for_user":"rule:admin_required" has # been deprecated since S in favor of # "identity:check_system_grant_for_user":"rule:admin_required or # (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Grant a user a role on the system. # ['PUT'] /v3/system/users/{user_id}/roles/{role_id} # Intended scope(s): system, project #"identity:create_system_grant_for_user": "rule:admin_required" # DEPRECATED # "identity:create_system_grant_for_user":"rule:admin_required" has # been deprecated since S in favor of # "identity:create_system_grant_for_user":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # Remove a role from a user on the system. # ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} # Intended scope(s): system, project #"identity:revoke_system_grant_for_user": "rule:admin_required" # DEPRECATED # "identity:revoke_system_grant_for_user":"rule:admin_required" has # been deprecated since S in favor of # "identity:revoke_system_grant_for_user":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # List all grants a specific group has on the system. # ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles # Intended scope(s): system, project #"identity:list_system_grants_for_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_system_grants_for_group":"rule:admin_required" has # been deprecated since S in favor of # "identity:list_system_grants_for_group":"rule:admin_required or # (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Check if a group has a role on the system. # ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} # Intended scope(s): system, project #"identity:check_system_grant_for_group": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_system_grant_for_group":"rule:admin_required" has # been deprecated since S in favor of # "identity:check_system_grant_for_group":"rule:admin_required or # (role:reader and system_scope:all)". # The assignment API is now aware of system scope and default roles. # Grant a group a role on the system. # ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} # Intended scope(s): system, project #"identity:create_system_grant_for_group": "rule:admin_required" # DEPRECATED # "identity:create_system_grant_for_group":"rule:admin_required" has # been deprecated since S in favor of # "identity:create_system_grant_for_group":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # Remove a role from a group on the system. # ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} # Intended scope(s): system, project #"identity:revoke_system_grant_for_group": "rule:admin_required" # DEPRECATED # "identity:revoke_system_grant_for_group":"rule:admin_required" has # been deprecated since S in favor of # "identity:revoke_system_grant_for_group":"rule:admin_required". # The assignment API is now aware of system scope and default roles. # Show group details. # GET /v3/groups/{group_id} # HEAD /v3/groups/{group_id} # Intended scope(s): system, domain, project #"identity:get_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" # DEPRECATED # "identity:get_group":"rule:admin_required" has been deprecated since # S in favor of "identity:get_group":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.group.domain_id)s)". # The group API is now aware of system scope and default roles. # List groups. # GET /v3/groups # HEAD /v3/groups # Intended scope(s): system, domain, project #"identity:list_groups": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" # DEPRECATED # "identity:list_groups":"rule:admin_required" has been deprecated # since S in favor of "identity:list_groups":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.group.domain_id)s)". # The group API is now aware of system scope and default roles. # List groups to which a user belongs. # GET /v3/users/{user_id}/groups # HEAD /v3/users/{user_id}/groups # Intended scope(s): system, domain, project #"identity:list_groups_for_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" # DEPRECATED # "identity:list_groups_for_user":"rule:admin_or_owner" has been # deprecated since S in favor of # "identity:list_groups_for_user":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s". # The group API is now aware of system scope and default roles. # Create group. # POST /v3/groups # Intended scope(s): system, domain, project #"identity:create_group": "rule:admin_required" # DEPRECATED # "identity:create_group":"rule:admin_required" has been deprecated # since S in favor of "identity:create_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Update group. # PATCH /v3/groups/{group_id} # Intended scope(s): system, domain, project #"identity:update_group": "rule:admin_required" # DEPRECATED # "identity:update_group":"rule:admin_required" has been deprecated # since S in favor of "identity:update_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Delete group. # DELETE /v3/groups/{group_id} # Intended scope(s): system, domain, project #"identity:delete_group": "rule:admin_required" # DEPRECATED # "identity:delete_group":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # List members of a specific group. # GET /v3/groups/{group_id}/users # HEAD /v3/groups/{group_id}/users # Intended scope(s): system, domain, project #"identity:list_users_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" # DEPRECATED # "identity:list_users_in_group":"rule:admin_required" has been # deprecated since S in favor of # "identity:list_users_in_group":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.group.domain_id)s)". # The group API is now aware of system scope and default roles. # Remove user from group. # DELETE /v3/groups/{group_id}/users/{user_id} # Intended scope(s): system, domain, project #"identity:remove_user_from_group": "rule:admin_required" # DEPRECATED # "identity:remove_user_from_group":"rule:admin_required" has been # deprecated since S in favor of # "identity:remove_user_from_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Check whether a user is a member of a group. # HEAD /v3/groups/{group_id}/users/{user_id} # GET /v3/groups/{group_id}/users/{user_id} # Intended scope(s): system, domain, project #"identity:check_user_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" # DEPRECATED # "identity:check_user_in_group":"rule:admin_required" has been # deprecated since S in favor of # "identity:check_user_in_group":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.group.domain_id)s and # domain_id:%(target.user.domain_id)s)". # The group API is now aware of system scope and default roles. # Add user to group. # PUT /v3/groups/{group_id}/users/{user_id} # Intended scope(s): system, domain, project #"identity:add_user_to_group": "rule:admin_required" # DEPRECATED # "identity:add_user_to_group":"rule:admin_required" has been # deprecated since S in favor of # "identity:add_user_to_group":"rule:admin_required". # The group API is now aware of system scope and default roles. # Create identity provider. # PUT /v3/OS-FEDERATION/identity_providers/{idp_id} # Intended scope(s): system, project #"identity:create_identity_provider": "rule:admin_required" # DEPRECATED # "identity:create_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:create_identity_provider":"rule:admin_required". # The identity provider API is now aware of system scope and default # roles. # List identity providers. # GET /v3/OS-FEDERATION/identity_providers # HEAD /v3/OS-FEDERATION/identity_providers # Intended scope(s): system, project #"identity:list_identity_providers": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_identity_providers":"rule:admin_required" has been # deprecated since S in favor of # "identity:list_identity_providers":"rule:admin_required or # (role:reader and system_scope:all)". # The identity provider API is now aware of system scope and default # roles. # Get identity provider. # GET /v3/OS-FEDERATION/identity_providers/{idp_id} # HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} # Intended scope(s): system, project #"identity:get_identity_provider": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:get_identity_provider":"rule:admin_required or # (role:reader and system_scope:all)". # The identity provider API is now aware of system scope and default # roles. # Update identity provider. # PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} # Intended scope(s): system, project #"identity:update_identity_provider": "rule:admin_required" # DEPRECATED # "identity:update_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:update_identity_provider":"rule:admin_required". # The identity provider API is now aware of system scope and default # roles. # Delete identity provider. # DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} # Intended scope(s): system, project #"identity:delete_identity_provider": "rule:admin_required" # DEPRECATED # "identity:delete_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:delete_identity_provider":"rule:admin_required". # The identity provider API is now aware of system scope and default # roles. # Get information about an association between two roles. When a # relationship exists between a prior role and an implied role and the # prior role is assigned to a user, the user also assumes the implied # role. # GET /v3/roles/{prior_role_id}/implies/{implied_role_id} # Intended scope(s): system, project #"identity:get_implied_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_implied_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:get_implied_role":"rule:admin_required or (role:reader and # system_scope:all)". # The implied role API is now aware of system scope and default roles. # List associations between two roles. When a relationship exists # between a prior role and an implied role and the prior role is # assigned to a user, the user also assumes the implied role. This # will return all the implied roles that would be assumed by the user # who gets the specified prior role. # GET /v3/roles/{prior_role_id}/implies # HEAD /v3/roles/{prior_role_id}/implies # Intended scope(s): system, project #"identity:list_implied_roles": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_implied_roles":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_implied_roles":"rule:admin_required or (role:reader # and system_scope:all)". # The implied role API is now aware of system scope and default roles. # Create an association between two roles. When a relationship exists # between a prior role and an implied role and the prior role is # assigned to a user, the user also assumes the implied role. # PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} # Intended scope(s): system, project #"identity:create_implied_role": "rule:admin_required" # DEPRECATED # "identity:create_implied_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:create_implied_role":"rule:admin_required". # The implied role API is now aware of system scope and default roles. # Delete the association between two roles. When a relationship exists # between a prior role and an implied role and the prior role is # assigned to a user, the user also assumes the implied role. Removing # the association will cause that effect to be eliminated. # DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} # Intended scope(s): system, project #"identity:delete_implied_role": "rule:admin_required" # DEPRECATED # "identity:delete_implied_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:delete_implied_role":"rule:admin_required". # The implied role API is now aware of system scope and default roles. # List all associations between two roles in the system. When a # relationship exists between a prior role and an implied role and the # prior role is assigned to a user, the user also assumes the implied # role. # GET /v3/role_inferences # HEAD /v3/role_inferences # Intended scope(s): system, project #"identity:list_role_inference_rules": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_role_inference_rules":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_role_inference_rules":"rule:admin_required or # (role:reader and system_scope:all)". # The implied role API is now aware of system scope and default roles. # Check an association between two roles. When a relationship exists # between a prior role and an implied role and the prior role is # assigned to a user, the user also assumes the implied role. # HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} # Intended scope(s): system, project #"identity:check_implied_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_implied_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:check_implied_role":"rule:admin_required or (role:reader # and system_scope:all)". # The implied role API is now aware of system scope and default roles. # Get limit enforcement model. # GET /v3/limits/model # HEAD /v3/limits/model # Intended scope(s): system, domain, project #"identity:get_limit_model": "" # Show limit details. # GET /v3/limits/{limit_id} # HEAD /v3/limits/{limit_id} # Intended scope(s): system, domain, project #"identity:get_limit": "rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" # List limits. # GET /v3/limits # HEAD /v3/limits # Intended scope(s): system, domain, project #"identity:list_limits": "" # Create limits. # POST /v3/limits # Intended scope(s): system, project #"identity:create_limits": "rule:admin_required" # Update limit. # PATCH /v3/limits/{limit_id} # Intended scope(s): system, project #"identity:update_limit": "rule:admin_required" # Delete limit. # DELETE /v3/limits/{limit_id} # Intended scope(s): system, project #"identity:delete_limit": "rule:admin_required" # Create a new federated mapping containing one or more sets of rules. # PUT /v3/OS-FEDERATION/mappings/{mapping_id} # Intended scope(s): system, project #"identity:create_mapping": "rule:admin_required" # DEPRECATED # "identity:create_mapping":"rule:admin_required" has been deprecated # since S in favor of "identity:create_mapping":"rule:admin_required". # The federated mapping API is now aware of system scope and default # roles. # Get a federated mapping. # GET /v3/OS-FEDERATION/mappings/{mapping_id} # HEAD /v3/OS-FEDERATION/mappings/{mapping_id} # Intended scope(s): system, project #"identity:get_mapping": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_mapping":"rule:admin_required" has been deprecated # since S in favor of "identity:get_mapping":"rule:admin_required or # (role:reader and system_scope:all)". # The federated mapping API is now aware of system scope and default # roles. # List federated mappings. # GET /v3/OS-FEDERATION/mappings # HEAD /v3/OS-FEDERATION/mappings # Intended scope(s): system, project #"identity:list_mappings": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_mappings":"rule:admin_required" has been deprecated # since S in favor of "identity:list_mappings":"rule:admin_required or # (role:reader and system_scope:all)". # The federated mapping API is now aware of system scope and default # roles. # Delete a federated mapping. # DELETE /v3/OS-FEDERATION/mappings/{mapping_id} # Intended scope(s): system, project #"identity:delete_mapping": "rule:admin_required" # DEPRECATED # "identity:delete_mapping":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_mapping":"rule:admin_required". # The federated mapping API is now aware of system scope and default # roles. # Update a federated mapping. # PATCH /v3/OS-FEDERATION/mappings/{mapping_id} # Intended scope(s): system, project #"identity:update_mapping": "rule:admin_required" # DEPRECATED # "identity:update_mapping":"rule:admin_required" has been deprecated # since S in favor of "identity:update_mapping":"rule:admin_required". # The federated mapping API is now aware of system scope and default # roles. # Show policy details. # GET /v3/policies/{policy_id} # Intended scope(s): system, project #"identity:get_policy": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_policy":"rule:admin_required" has been deprecated # since T in favor of "identity:get_policy":"rule:admin_required or # (role:reader and system_scope:all)". # The policy API is now aware of system scope and default roles. # List policies. # GET /v3/policies # Intended scope(s): system, project #"identity:list_policies": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_policies":"rule:admin_required" has been deprecated # since T in favor of "identity:list_policies":"rule:admin_required or # (role:reader and system_scope:all)". # The policy API is now aware of system scope and default roles. # Create policy. # POST /v3/policies # Intended scope(s): system, project #"identity:create_policy": "rule:admin_required" # DEPRECATED # "identity:create_policy":"rule:admin_required" has been deprecated # since T in favor of "identity:create_policy":"rule:admin_required". # The policy API is now aware of system scope and default roles. # Update policy. # PATCH /v3/policies/{policy_id} # Intended scope(s): system, project #"identity:update_policy": "rule:admin_required" # DEPRECATED # "identity:update_policy":"rule:admin_required" has been deprecated # since T in favor of "identity:update_policy":"rule:admin_required". # The policy API is now aware of system scope and default roles. # Delete policy. # DELETE /v3/policies/{policy_id} # Intended scope(s): system, project #"identity:delete_policy": "rule:admin_required" # DEPRECATED # "identity:delete_policy":"rule:admin_required" has been deprecated # since T in favor of "identity:delete_policy":"rule:admin_required". # The policy API is now aware of system scope and default roles. # Associate a policy to a specific endpoint. # PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:create_policy_association_for_endpoint": "rule:admin_required" # DEPRECATED # "identity:create_policy_association_for_endpoint":"rule:admin_requir # ed" has been deprecated since T in favor of "identity:create_policy_ # association_for_endpoint":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Check policy association for endpoint. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} # HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:check_policy_association_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_policy_association_for_endpoint":"rule:admin_require # d" has been deprecated since T in favor of "identity:check_policy_as # sociation_for_endpoint":"rule:admin_required or (role:reader and # system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Delete policy association for endpoint. # DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:delete_policy_association_for_endpoint": "rule:admin_required" # DEPRECATED # "identity:delete_policy_association_for_endpoint":"rule:admin_requir # ed" has been deprecated since T in favor of "identity:delete_policy_ # association_for_endpoint":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Associate a policy to a specific service. # PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} # Intended scope(s): system, project #"identity:create_policy_association_for_service": "rule:admin_required" # DEPRECATED # "identity:create_policy_association_for_service":"rule:admin_require # d" has been deprecated since T in favor of "identity:create_policy_a # ssociation_for_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Check policy association for service. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} # HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} # Intended scope(s): system, project #"identity:check_policy_association_for_service": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_policy_association_for_service":"rule:admin_required # " has been deprecated since T in favor of # "identity:check_policy_association_for_service":"rule:admin_required # or (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Delete policy association for service. # DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} # Intended scope(s): system, project #"identity:delete_policy_association_for_service": "rule:admin_required" # DEPRECATED # "identity:delete_policy_association_for_service":"rule:admin_require # d" has been deprecated since T in favor of "identity:delete_policy_a # ssociation_for_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Associate a policy to a specific region and service combination. # PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} # Intended scope(s): system, project #"identity:create_policy_association_for_region_and_service": "rule:admin_required" # DEPRECATED # "identity:create_policy_association_for_region_and_service":"rule:ad # min_required" has been deprecated since T in favor of "identity:crea # te_policy_association_for_region_and_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Check policy association for region and service. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} # HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} # Intended scope(s): system, project #"identity:check_policy_association_for_region_and_service": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_policy_association_for_region_and_service":"rule:adm # in_required" has been deprecated since T in favor of "identity:check # _policy_association_for_region_and_service":"rule:admin_required or # (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Delete policy association for region and service. # DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} # Intended scope(s): system, project #"identity:delete_policy_association_for_region_and_service": "rule:admin_required" # DEPRECATED # "identity:delete_policy_association_for_region_and_service":"rule:ad # min_required" has been deprecated since T in favor of "identity:dele # te_policy_association_for_region_and_service":"rule:admin_required". # The policy association API is now aware of system scope and default # roles. # Get policy for endpoint. # GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy # HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy # Intended scope(s): system, project #"identity:get_policy_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_policy_for_endpoint":"rule:admin_required" has been # deprecated since T in favor of # "identity:get_policy_for_endpoint":"rule:admin_required or # (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # List endpoints for policy. # GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints # Intended scope(s): system, project #"identity:list_endpoints_for_policy": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints_for_policy":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_endpoints_for_policy":"rule:admin_required or # (role:reader and system_scope:all)". # The policy association API is now aware of system scope and default # roles. # Show project details. # GET /v3/projects/{project_id} # Intended scope(s): system, domain, project #"identity:get_project": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" # DEPRECATED # "identity:get_project":"rule:admin_required or # project_id:%(target.project.id)s" has been deprecated since S in # favor of "identity:get_project":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". # The project API is now aware of system scope and default roles. # List projects. # GET /v3/projects # Intended scope(s): system, domain, project #"identity:list_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_projects":"rule:admin_required" has been deprecated # since S in favor of "identity:list_projects":"(rule:admin_required) # or (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)". # The project API is now aware of system scope and default roles. # List projects for user. # GET /v3/users/{user_id}/projects # Intended scope(s): system, domain, project #"identity:list_user_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" # DEPRECATED # "identity:list_user_projects":"rule:admin_or_owner" has been # deprecated since S in favor of # "identity:list_user_projects":"(rule:admin_required) or (role:reader # and system_scope:all) or (role:reader and # domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s". # The project API is now aware of system scope and default roles. # Create project. # POST /v3/projects # Intended scope(s): system, domain, project #"identity:create_project": "rule:admin_required" # DEPRECATED # "identity:create_project":"rule:admin_required" has been deprecated # since S in favor of "identity:create_project":"rule:admin_required". # The project API is now aware of system scope and default roles. # Update project. # PATCH /v3/projects/{project_id} # Intended scope(s): system, domain, project #"identity:update_project": "rule:admin_required" # DEPRECATED # "identity:update_project":"rule:admin_required" has been deprecated # since S in favor of "identity:update_project":"rule:admin_required". # The project API is now aware of system scope and default roles. # Delete project. # DELETE /v3/projects/{project_id} # Intended scope(s): system, domain, project #"identity:delete_project": "rule:admin_required" # DEPRECATED # "identity:delete_project":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_project":"rule:admin_required". # The project API is now aware of system scope and default roles. # List tags for a project. # GET /v3/projects/{project_id}/tags # HEAD /v3/projects/{project_id}/tags # Intended scope(s): system, domain, project #"identity:list_project_tags": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" # DEPRECATED # "identity:list_project_tags":"rule:admin_required or # project_id:%(target.project.id)s" has been deprecated since T in # favor of "identity:list_project_tags":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". # The project API is now aware of system scope and default roles. # Check if project contains a tag. # GET /v3/projects/{project_id}/tags/{value} # HEAD /v3/projects/{project_id}/tags/{value} # Intended scope(s): system, domain, project #"identity:get_project_tag": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" # DEPRECATED # "identity:get_project_tag":"rule:admin_required or # project_id:%(target.project.id)s" has been deprecated since T in # favor of "identity:get_project_tag":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.project.domain_id)s) or # project_id:%(target.project.id)s". # The project API is now aware of system scope and default roles. # Replace all tags on a project with the new set of tags. # PUT /v3/projects/{project_id}/tags # Intended scope(s): system, domain, project #"identity:update_project_tags": "rule:admin_required" # DEPRECATED # "identity:update_project_tags":"rule:admin_required" has been # deprecated since T in favor of # "identity:update_project_tags":"rule:admin_required". # The project API is now aware of system scope and default roles. # Add a single tag to a project. # PUT /v3/projects/{project_id}/tags/{value} # Intended scope(s): system, domain, project #"identity:create_project_tag": "rule:admin_required" # DEPRECATED # "identity:create_project_tag":"rule:admin_required" has been # deprecated since T in favor of # "identity:create_project_tag":"rule:admin_required". # The project API is now aware of system scope and default roles. # Remove all tags from a project. # DELETE /v3/projects/{project_id}/tags # Intended scope(s): system, domain, project #"identity:delete_project_tags": "rule:admin_required" # DEPRECATED # "identity:delete_project_tags":"rule:admin_required" has been # deprecated since T in favor of # "identity:delete_project_tags":"rule:admin_required". # The project API is now aware of system scope and default roles. # Delete a specified tag from project. # DELETE /v3/projects/{project_id}/tags/{value} # Intended scope(s): system, domain, project #"identity:delete_project_tag": "rule:admin_required" # DEPRECATED # "identity:delete_project_tag":"rule:admin_required" has been # deprecated since T in favor of # "identity:delete_project_tag":"rule:admin_required". # The project API is now aware of system scope and default roles. # List projects allowed to access an endpoint. # GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects # Intended scope(s): system, project #"identity:list_projects_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_projects_for_endpoint":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_projects_for_endpoint":"rule:admin_required or # (role:reader and system_scope:all)". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults # account for these changes automatically. Be sure to take these new # defaults into consideration if you are relying on overrides in your # deployment for the project endpoint API. # Allow project to access an endpoint. # PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:add_endpoint_to_project": "rule:admin_required" # DEPRECATED # "identity:add_endpoint_to_project":"rule:admin_required" has been # deprecated since T in favor of # "identity:add_endpoint_to_project":"rule:admin_required". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults # account for these changes automatically. Be sure to take these new # defaults into consideration if you are relying on overrides in your # deployment for the project endpoint API. # Check if a project is allowed to access an endpoint. # GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} # HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:check_endpoint_in_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:check_endpoint_in_project":"rule:admin_required" has been # deprecated since T in favor of # "identity:check_endpoint_in_project":"rule:admin_required or # (role:reader and system_scope:all)". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults # account for these changes automatically. Be sure to take these new # defaults into consideration if you are relying on overrides in your # deployment for the project endpoint API. # List the endpoints a project is allowed to access. # GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints # Intended scope(s): system, project #"identity:list_endpoints_for_project": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_endpoints_for_project":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_endpoints_for_project":"rule:admin_required or # (role:reader and system_scope:all)". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults # account for these changes automatically. Be sure to take these new # defaults into consideration if you are relying on overrides in your # deployment for the project endpoint API. # Remove access to an endpoint from a project that has previously been # given explicit access. # DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} # Intended scope(s): system, project #"identity:remove_endpoint_from_project": "rule:admin_required" # DEPRECATED # "identity:remove_endpoint_from_project":"rule:admin_required" has # been deprecated since T in favor of # "identity:remove_endpoint_from_project":"rule:admin_required". # As of the Train release, the project endpoint API now understands # default roles and system-scoped tokens, making the API more granular # by default without compromising security. The new policy defaults # account for these changes automatically. Be sure to take these new # defaults into consideration if you are relying on overrides in your # deployment for the project endpoint API. # Create federated protocol. # PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} # Intended scope(s): system, project #"identity:create_protocol": "rule:admin_required" # DEPRECATED # "identity:create_protocol":"rule:admin_required" has been deprecated # since S in favor of # "identity:create_protocol":"rule:admin_required". # The federated protocol API is now aware of system scope and default # roles. # Update federated protocol. # PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} # Intended scope(s): system, project #"identity:update_protocol": "rule:admin_required" # DEPRECATED # "identity:update_protocol":"rule:admin_required" has been deprecated # since S in favor of # "identity:update_protocol":"rule:admin_required". # The federated protocol API is now aware of system scope and default # roles. # Get federated protocol. # GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} # Intended scope(s): system, project #"identity:get_protocol": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_protocol":"rule:admin_required" has been deprecated # since S in favor of "identity:get_protocol":"rule:admin_required or # (role:reader and system_scope:all)". # The federated protocol API is now aware of system scope and default # roles. # List federated protocols. # GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols # Intended scope(s): system, project #"identity:list_protocols": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_protocols":"rule:admin_required" has been deprecated # since S in favor of "identity:list_protocols":"rule:admin_required # or (role:reader and system_scope:all)". # The federated protocol API is now aware of system scope and default # roles. # Delete federated protocol. # DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} # Intended scope(s): system, project #"identity:delete_protocol": "rule:admin_required" # DEPRECATED # "identity:delete_protocol":"rule:admin_required" has been deprecated # since S in favor of # "identity:delete_protocol":"rule:admin_required". # The federated protocol API is now aware of system scope and default # roles. # Show region details. # GET /v3/regions/{region_id} # HEAD /v3/regions/{region_id} # Intended scope(s): system, domain, project #"identity:get_region": "" # List regions. # GET /v3/regions # HEAD /v3/regions # Intended scope(s): system, domain, project #"identity:list_regions": "" # Create region. # POST /v3/regions # PUT /v3/regions/{region_id} # Intended scope(s): system, project #"identity:create_region": "rule:admin_required" # DEPRECATED # "identity:create_region":"rule:admin_required" has been deprecated # since S in favor of "identity:create_region":"rule:admin_required". # The region API is now aware of system scope and default roles. # Update region. # PATCH /v3/regions/{region_id} # Intended scope(s): system, project #"identity:update_region": "rule:admin_required" # DEPRECATED # "identity:update_region":"rule:admin_required" has been deprecated # since S in favor of "identity:update_region":"rule:admin_required". # The region API is now aware of system scope and default roles. # Delete region. # DELETE /v3/regions/{region_id} # Intended scope(s): system, project #"identity:delete_region": "rule:admin_required" # DEPRECATED # "identity:delete_region":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_region":"rule:admin_required". # The region API is now aware of system scope and default roles. # Show registered limit details. # GET /v3/registered_limits/{registered_limit_id} # HEAD /v3/registered_limits/{registered_limit_id} # Intended scope(s): system, domain, project #"identity:get_registered_limit": "" # List registered limits. # GET /v3/registered_limits # HEAD /v3/registered_limits # Intended scope(s): system, domain, project #"identity:list_registered_limits": "" # Create registered limits. # POST /v3/registered_limits # Intended scope(s): system, project #"identity:create_registered_limits": "rule:admin_required" # Update registered limit. # PATCH /v3/registered_limits/{registered_limit_id} # Intended scope(s): system, project #"identity:update_registered_limit": "rule:admin_required" # Delete registered limit. # DELETE /v3/registered_limits/{registered_limit_id} # Intended scope(s): system, project #"identity:delete_registered_limit": "rule:admin_required" # List revocation events. # GET /v3/OS-REVOKE/events # Intended scope(s): system, project #"identity:list_revoke_events": "rule:service_or_admin" # Show role details. # GET /v3/roles/{role_id} # HEAD /v3/roles/{role_id} # Intended scope(s): system, project #"identity:get_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_role":"rule:admin_required" has been deprecated since # S in favor of "identity:get_role":"rule:admin_required or # (role:reader and system_scope:all)". # The role API is now aware of system scope and default roles. # List roles. # GET /v3/roles # HEAD /v3/roles # Intended scope(s): system, project #"identity:list_roles": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_roles":"rule:admin_required" has been deprecated # since S in favor of "identity:list_roles":"rule:admin_required or # (role:reader and system_scope:all)". # The role API is now aware of system scope and default roles. # Create role. # POST /v3/roles # Intended scope(s): system, project #"identity:create_role": "rule:admin_required" # DEPRECATED # "identity:create_role":"rule:admin_required" has been deprecated # since S in favor of "identity:create_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Update role. # PATCH /v3/roles/{role_id} # Intended scope(s): system, project #"identity:update_role": "rule:admin_required" # DEPRECATED # "identity:update_role":"rule:admin_required" has been deprecated # since S in favor of "identity:update_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Delete role. # DELETE /v3/roles/{role_id} # Intended scope(s): system, project #"identity:delete_role": "rule:admin_required" # DEPRECATED # "identity:delete_role":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Show domain role. # GET /v3/roles/{role_id} # HEAD /v3/roles/{role_id} # Intended scope(s): system, project #"identity:get_domain_role": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_domain_role":"rule:admin_required" has been deprecated # since T in favor of "identity:get_domain_role":"rule:admin_required # or (role:reader and system_scope:all)". # The role API is now aware of system scope and default roles. # List domain roles. # GET /v3/roles?domain_id={domain_id} # HEAD /v3/roles?domain_id={domain_id} # Intended scope(s): system, project #"identity:list_domain_roles": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_domain_roles":"rule:admin_required" has been # deprecated since T in favor of # "identity:list_domain_roles":"rule:admin_required or (role:reader # and system_scope:all)". # The role API is now aware of system scope and default roles. # Create domain role. # POST /v3/roles # Intended scope(s): system, project #"identity:create_domain_role": "rule:admin_required" # DEPRECATED # "identity:create_domain_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:create_domain_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Update domain role. # PATCH /v3/roles/{role_id} # Intended scope(s): system, project #"identity:update_domain_role": "rule:admin_required" # DEPRECATED # "identity:update_domain_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:update_domain_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # Delete domain role. # DELETE /v3/roles/{role_id} # Intended scope(s): system, project #"identity:delete_domain_role": "rule:admin_required" # DEPRECATED # "identity:delete_domain_role":"rule:admin_required" has been # deprecated since T in favor of # "identity:delete_domain_role":"rule:admin_required". # The role API is now aware of system scope and default roles. # List role assignments. # GET /v3/role_assignments # HEAD /v3/role_assignments # Intended scope(s): system, domain, project #"identity:list_role_assignments": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_role_assignments":"rule:admin_required" has been # deprecated since S in favor of # "identity:list_role_assignments":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)". # The assignment API is now aware of system scope and default roles. # List all role assignments for a given tree of hierarchical projects. # GET /v3/role_assignments?include_subtree # HEAD /v3/role_assignments?include_subtree # Intended scope(s): system, domain, project #"identity:list_role_assignments_for_tree": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_role_assignments_for_tree":"rule:admin_required" has # been deprecated since T in favor of # "identity:list_role_assignments_for_tree":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)". # The assignment API is now aware of system scope and default roles. # Show service details. # GET /v3/services/{service_id} # Intended scope(s): system, project #"identity:get_service": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_service":"rule:admin_required" has been deprecated # since S in favor of "identity:get_service":"rule:admin_required or # (role:reader and system_scope:all)". # The service API is now aware of system scope and default roles. # List services. # GET /v3/services # Intended scope(s): system, project #"identity:list_services": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_services":"rule:admin_required" has been deprecated # since S in favor of "identity:list_services":"rule:admin_required or # (role:reader and system_scope:all)". # The service API is now aware of system scope and default roles. # Create service. # POST /v3/services # Intended scope(s): system, project #"identity:create_service": "rule:admin_required" # DEPRECATED # "identity:create_service":"rule:admin_required" has been deprecated # since S in favor of "identity:create_service":"rule:admin_required". # The service API is now aware of system scope and default roles. # Update service. # PATCH /v3/services/{service_id} # Intended scope(s): system, project #"identity:update_service": "rule:admin_required" # DEPRECATED # "identity:update_service":"rule:admin_required" has been deprecated # since S in favor of "identity:update_service":"rule:admin_required". # The service API is now aware of system scope and default roles. # Delete service. # DELETE /v3/services/{service_id} # Intended scope(s): system, project #"identity:delete_service": "rule:admin_required" # DEPRECATED # "identity:delete_service":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_service":"rule:admin_required". # The service API is now aware of system scope and default roles. # Create federated service provider. # PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} # Intended scope(s): system, project #"identity:create_service_provider": "rule:admin_required" # DEPRECATED # "identity:create_service_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:create_service_provider":"rule:admin_required". # The service provider API is now aware of system scope and default # roles. # List federated service providers. # GET /v3/OS-FEDERATION/service_providers # HEAD /v3/OS-FEDERATION/service_providers # Intended scope(s): system, project #"identity:list_service_providers": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_service_providers":"rule:admin_required" has been # deprecated since S in favor of # "identity:list_service_providers":"rule:admin_required or # (role:reader and system_scope:all)". # The service provider API is now aware of system scope and default # roles. # Get federated service provider. # GET /v3/OS-FEDERATION/service_providers/{service_provider_id} # HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} # Intended scope(s): system, project #"identity:get_service_provider": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:get_service_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:get_service_provider":"rule:admin_required or (role:reader # and system_scope:all)". # The service provider API is now aware of system scope and default # roles. # Update federated service provider. # PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} # Intended scope(s): system, project #"identity:update_service_provider": "rule:admin_required" # DEPRECATED # "identity:update_service_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:update_service_provider":"rule:admin_required". # The service provider API is now aware of system scope and default # roles. # Delete federated service provider. # DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} # Intended scope(s): system, project #"identity:delete_service_provider": "rule:admin_required" # DEPRECATED # "identity:delete_service_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:delete_service_provider":"rule:admin_required". # The service provider API is now aware of system scope and default # roles. # DEPRECATED # "identity:revocation_list" has been deprecated since T. # The identity:revocation_list policy isn't used to protect any APIs # in keystone now that the revocation list API has been deprecated and # only returns a 410 or 403 depending on how keystone is configured. # This policy can be safely removed from policy files. # List revoked PKI tokens. # GET /v3/auth/tokens/OS-PKI/revoked # Intended scope(s): system, project #"identity:revocation_list": "rule:service_or_admin" # Check a token. # HEAD /v3/auth/tokens # Intended scope(s): system, domain, project #"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject" # DEPRECATED # "identity:check_token":"rule:admin_or_token_subject" has been # deprecated since T in favor of "identity:check_token":"(role:reader # and system_scope:all) or rule:token_subject". # The token API is now aware of system scope and default roles. # Validate a token. # GET /v3/auth/tokens # Intended scope(s): system, domain, project #"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" # DEPRECATED # "identity:validate_token":"rule:service_admin_or_token_subject" has # been deprecated since T in favor of # "identity:validate_token":"(role:reader and system_scope:all) or # rule:service_role or rule:token_subject". # The token API is now aware of system scope and default roles. # Revoke a token. # DELETE /v3/auth/tokens # Intended scope(s): system, domain, project #"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject" # DEPRECATED # "identity:revoke_token":"rule:admin_or_token_subject" has been # deprecated since T in favor of "identity:revoke_token":"(role:admin # and system_scope:all) or rule:token_subject". # The token API is now aware of system scope and default roles. # Create trust. # POST /v3/OS-TRUST/trusts # Intended scope(s): project #"identity:create_trust": "user_id:%(trust.trustor_user_id)s" # List trusts. # GET /v3/OS-TRUST/trusts # HEAD /v3/OS-TRUST/trusts # Intended scope(s): system, project #"identity:list_trusts": "rule:admin_required or (role:reader and system_scope:all)" # DEPRECATED # "identity:list_trusts":"rule:admin_required" has been deprecated # since T in favor of "identity:list_trusts":"rule:admin_required or # (role:reader and system_scope:all)". # The trust API is now aware of system scope and default roles. # List trusts for trustor. # GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} # HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} # Intended scope(s): system, project #"identity:list_trusts_for_trustor": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)" # List trusts for trustee. # GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} # HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} # Intended scope(s): system, project #"identity:list_trusts_for_trustee": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)" # List roles delegated by a trust. # GET /v3/OS-TRUST/trusts/{trust_id}/roles # HEAD /v3/OS-TRUST/trusts/{trust_id}/roles # Intended scope(s): system, project #"identity:list_roles_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)" # DEPRECATED # "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user # _id)s or user_id:%(target.trust.trustee_user_id)s" has been # deprecated since T in favor of # "identity:list_roles_for_trust":"(rule:admin_required) or # (role:reader and system_scope:all or # user_id:%(target.trust.trustor_user_id)s or # user_id:%(target.trust.trustee_user_id)s)". # The trust API is now aware of system scope and default roles. # Check if trust delegates a particular role. # GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} # HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} # Intended scope(s): system, project #"identity:get_role_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)" # DEPRECATED # "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i # d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated # since T in favor of # "identity:get_role_for_trust":"(rule:admin_required) or (role:reader # and system_scope:all or user_id:%(target.trust.trustor_user_id)s or # user_id:%(target.trust.trustee_user_id)s)". # The trust API is now aware of system scope and default roles. # Revoke trust. # DELETE /v3/OS-TRUST/trusts/{trust_id} # Intended scope(s): system, project #"identity:delete_trust": "rule:admin_required or user_id:%(target.trust.trustor_user_id)s" # DEPRECATED # "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" # has been deprecated since T in favor of # "identity:delete_trust":"rule:admin_required or # user_id:%(target.trust.trustor_user_id)s". # The trust API is now aware of system scope and default roles. # Get trust. # GET /v3/OS-TRUST/trusts/{trust_id} # HEAD /v3/OS-TRUST/trusts/{trust_id} # Intended scope(s): system, project #"identity:get_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)" # DEPRECATED # "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or # user_id:%(target.trust.trustee_user_id)s" has been deprecated since # T in favor of "identity:get_trust":"(rule:admin_required) or # (role:reader and system_scope:all or # user_id:%(target.trust.trustor_user_id)s or # user_id:%(target.trust.trustee_user_id)s)". # The trust API is now aware of system scope and default roles. # Show user details. # GET /v3/users/{user_id} # HEAD /v3/users/{user_id} # Intended scope(s): system, domain, project #"identity:get_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" # DEPRECATED # "identity:get_user":"rule:admin_or_owner" has been deprecated since # S in favor of "identity:get_user":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # token.domain.id:%(target.user.domain_id)s) or # user_id:%(target.user.id)s". # The user API is now aware of system scope and default roles. # List users. # GET /v3/users # HEAD /v3/users # Intended scope(s): system, domain, project #"identity:list_users": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" # DEPRECATED # "identity:list_users":"rule:admin_required" has been deprecated # since S in favor of "identity:list_users":"(rule:admin_required) or # (role:reader and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)". # The user API is now aware of system scope and default roles. # List all projects a user has access to via role assignments. # GET /v3/auth/projects #"identity:list_projects_for_user": "" # List all domains a user has access to via role assignments. # GET /v3/auth/domains #"identity:list_domains_for_user": "" # Create a user. # POST /v3/users # Intended scope(s): system, domain, project #"identity:create_user": "rule:admin_required" # DEPRECATED # "identity:create_user":"rule:admin_required" has been deprecated # since S in favor of "identity:create_user":"rule:admin_required". # The user API is now aware of system scope and default roles. # Update a user, including administrative password resets. # PATCH /v3/users/{user_id} # Intended scope(s): system, domain, project #"identity:update_user": "rule:admin_required" # DEPRECATED # "identity:update_user":"rule:admin_required" has been deprecated # since S in favor of "identity:update_user":"rule:admin_required". # The user API is now aware of system scope and default roles. # Delete a user. # DELETE /v3/users/{user_id} # Intended scope(s): system, domain, project #"identity:delete_user": "rule:admin_required" # DEPRECATED # "identity:delete_user":"rule:admin_required" has been deprecated # since S in favor of "identity:delete_user":"rule:admin_required". # The user API is now aware of system scope and default roles.