b2235bf3fb
Execluded all XML files in the directory doc/common/tables because they are autogenerated. The XML root element of Docbook XML files should match the following format: <ELEMENT xmlns="http://docbook.org/ns/docbook" xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="THE_XML_ID_OF_THE_ELEMENT"> Change-Id: If12091be81ec8b2e6e53bfcb4c3a883a65e24736
73 lines
2.8 KiB
XML
73 lines
2.8 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="identity-groups">
|
|
<title>Groups</title>
|
|
<para>A group is a collection of users. Administrators can
|
|
create groups and add users to them. Then, rather than assign
|
|
a role to each user individually, assign a role to the group.
|
|
Every group is in a domain. Groups were introduced with the
|
|
Identity API v3.</para>
|
|
<!--TODO: eventually remove the last sentence, when v3 is
|
|
commonplace -->
|
|
<para>Identity API V3 provides the following group-related
|
|
operations:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Create a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Delete a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Update a group (change its name or
|
|
description)</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a user to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Remove a user from a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>List group members</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>List groups for a user</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Assign a role on a tenant to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Assign a role on a domain to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Query role assignments to groups</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note>
|
|
<para>The Identity service server might not allow all
|
|
operations. For example, if using the Identity server
|
|
with the LDAP Identity back end and group updates are
|
|
disabled, then a request to create, delete, or update
|
|
a group fails.</para>
|
|
</note>
|
|
<para>Here are a couple of examples:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Group A is granted Role A on Tenant A. If User A
|
|
is a member of Group A, when User A gets a token
|
|
scoped to Tenant A, the token also includes Role
|
|
A.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Group B is granted Role B on Domain B. If User B
|
|
is a member of Domain B, if User B gets a token
|
|
scoped to Domain B, the token also includes Role
|
|
B.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|