Policy configuration

updated: 2025-11-11 08:19

Policy configuration

Warning

JSON formatted policy file is deprecated since Keystone 19.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Configuration

The following is an overview of all available policies in Keystone.

For a sample configuration file, refer to policy.yaml.

keystone

admin_required
Default:

role:admin or is_admin:1

(no description provided)

service_role
Default:

role:service

(no description provided)

service_or_admin
Default:

rule:admin_required or rule:service_role

(no description provided)

owner
Default:

user_id:%(user_id)s

(no description provided)

admin_or_owner
Default:

rule:admin_required or rule:owner

(no description provided)

token_subject
Default:

user_id:%(target.token.user_id)s

(no description provided)

admin_or_token_subject
Default:

rule:admin_required or rule:token_subject

(no description provided)

service_admin_or_token_subject
Default:

rule:service_or_admin or rule:token_subject

(no description provided)

identity:get_access_rule
Default:

(role:reader and system_scope:all) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}/access_rules/{access_rule_id}

  • HEAD /v3/users/{user_id}/access_rules/{access_rule_id}

Scope Types:

  • system

  • project

Show access rule details.

identity:list_access_rules
Default:

(role:reader and system_scope:all) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}/access_rules

  • HEAD /v3/users/{user_id}/access_rules

Scope Types:

  • system

  • project

List access rules for a user.

identity:delete_access_rule
Default:

(role:admin and system_scope:all) or user_id:%(target.user.id)s

Operations:

  • DELETE /v3/users/{user_id}/access_rules/{access_rule_id}

Scope Types:

  • system

  • project

Delete an access_rule.

identity:authorize_request_token
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-OAUTH1/authorize/{request_token_id}

Scope Types:

  • project

Authorize OAUTH1 request token.

identity:get_access_token
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Scope Types:

  • project

Get OAUTH1 access token for user by access token ID.

identity:get_access_token_role
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}

Scope Types:

  • project

Get role for user OAUTH1 access token.

identity:list_access_tokens
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens

Scope Types:

  • project

List OAUTH1 access tokens for user.

identity:list_access_token_roles
Default:

rule:admin_required

Operations:

  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles

Scope Types:

  • project

List OAUTH1 access token roles.

identity:delete_access_token
Default:

rule:admin_required

Operations:

  • DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Scope Types:

  • project

Delete OAUTH1 access token.

identity:get_application_credential
Default:

(rule:admin_required) or (role:reader and system_scope:all) or rule:owner

Operations:

  • GET /v3/users/{user_id}/application_credentials/{application_credential_id}

  • HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}

Scope Types:

  • system

  • project

Show application credential details.

identity:list_application_credentials
Default:

(rule:admin_required) or (role:reader and system_scope:all) or rule:owner

Operations:

  • GET /v3/users/{user_id}/application_credentials

  • HEAD /v3/users/{user_id}/application_credentials

Scope Types:

  • system

  • project

List application credentials for a user.

identity:create_application_credential
Default:

user_id:%(user_id)s

Operations:

  • POST /v3/users/{user_id}/application_credentials

Scope Types:

  • project

Create an application credential.

identity:delete_application_credential
Default:

rule:admin_or_owner

Operations:

  • DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}

Scope Types:

  • system

  • project

Delete an application credential.

identity:get_auth_catalog
Default:

<empty string>

Operations:

  • GET /v3/auth/catalog

  • HEAD /v3/auth/catalog

Get service catalog.

identity:get_auth_projects
Default:

<empty string>

Operations:

  • GET /v3/auth/projects

  • HEAD /v3/auth/projects

List all projects a user has access to via role assignments.

identity:get_auth_domains
Default:

<empty string>

Operations:

  • GET /v3/auth/domains

  • HEAD /v3/auth/domains

List all domains a user has access to via role assignments.

identity:get_auth_system
Default:

<empty string>

Operations:

  • GET /v3/auth/system

  • HEAD /v3/auth/system

List systems a user has access to via role assignments.

identity:get_consumer
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-OAUTH1/consumers/{consumer_id}

Scope Types:

  • system

  • project

Show OAUTH1 consumer details.

identity:list_consumers
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-OAUTH1/consumers

Scope Types:

  • system

  • project

List OAUTH1 consumers.

identity:create_consumer
Default:

rule:admin_required

Operations:

  • POST /v3/OS-OAUTH1/consumers

Scope Types:

  • system

  • project

Create OAUTH1 consumer.

identity:update_consumer
Default:

rule:admin_required

Operations:

  • PATCH /v3/OS-OAUTH1/consumers/{consumer_id}

Scope Types:

  • system

  • project

Update OAUTH1 consumer.

identity:delete_consumer
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-OAUTH1/consumers/{consumer_id}

Scope Types:

  • system

  • project

Delete OAUTH1 consumer.

identity:get_credential
Default:

(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • GET /v3/credentials/{credential_id}

Scope Types:

  • system

  • project

Show credentials details.

identity:list_credentials
Default:

(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • GET /v3/credentials

Scope Types:

  • system

  • project

List credentials.

identity:create_credential
Default:

(rule:admin_required) or user_id:%(target.credential.user_id)s

Operations:

  • POST /v3/credentials

Scope Types:

  • system

  • project

Create credential.

identity:update_credential
Default:

(rule:admin_required) or user_id:%(target.credential.user_id)s

Operations:

  • PATCH /v3/credentials/{credential_id}

Scope Types:

  • system

  • project

Update credential.

identity:delete_credential
Default:

(rule:admin_required) or user_id:%(target.credential.user_id)s

Operations:

  • DELETE /v3/credentials/{credential_id}

Scope Types:

  • system

  • project

Delete credential.

identity:get_domain
Default:

rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s

Operations:

  • GET /v3/domains/{domain_id}

Scope Types:

  • system

  • domain

  • project

Show domain details.

identity:list_domains
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/domains

Scope Types:

  • system

  • project

List domains.

identity:create_domain
Default:

rule:admin_required

Operations:

  • POST /v3/domains

Scope Types:

  • system

  • project

Create domain.

identity:update_domain
Default:

rule:admin_required

Operations:

  • PATCH /v3/domains/{domain_id}

Scope Types:

  • system

  • project

Update domain.

identity:delete_domain
Default:

rule:admin_required

Operations:

  • DELETE /v3/domains/{domain_id}

Scope Types:

  • system

  • project

Delete domain.

identity:create_domain_config
Default:

rule:admin_required

Operations:

  • PUT /v3/domains/{domain_id}/config

Scope Types:

  • system

  • project

Create domain configuration.

identity:get_domain_config
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/domains/{domain_id}/config

  • HEAD /v3/domains/{domain_id}/config

  • GET /v3/domains/{domain_id}/config/{group}

  • HEAD /v3/domains/{domain_id}/config/{group}

  • GET /v3/domains/{domain_id}/config/{group}/{option}

  • HEAD /v3/domains/{domain_id}/config/{group}/{option}

Scope Types:

  • system

  • project

Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.

identity:get_security_compliance_domain_config
Default:

<empty string>

Operations:

  • GET /v3/domains/{domain_id}/config/security_compliance

  • HEAD /v3/domains/{domain_id}/config/security_compliance

  • GET /v3/domains/{domain_id}/config/security_compliance/{option}

  • HEAD /v3/domains/{domain_id}/config/security_compliance/{option}

Scope Types:

  • system

  • domain

  • project

Get security compliance domain configuration for either a domain or a specific option in a domain.

identity:update_domain_config
Default:

rule:admin_required

Operations:

  • PATCH /v3/domains/{domain_id}/config

  • PATCH /v3/domains/{domain_id}/config/{group}

  • PATCH /v3/domains/{domain_id}/config/{group}/{option}

Scope Types:

  • system

  • project

Update domain configuration for either a domain, specific group or a specific option in a group.

identity:delete_domain_config
Default:

rule:admin_required

Operations:

  • DELETE /v3/domains/{domain_id}/config

  • DELETE /v3/domains/{domain_id}/config/{group}

  • DELETE /v3/domains/{domain_id}/config/{group}/{option}

Scope Types:

  • system

  • project

Delete domain configuration for either a domain, specific group or a specific option in a group.

identity:get_domain_config_default
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/domains/config/default

  • HEAD /v3/domains/config/default

  • GET /v3/domains/config/{group}/default

  • HEAD /v3/domains/config/{group}/default

  • GET /v3/domains/config/{group}/{option}/default

  • HEAD /v3/domains/config/{group}/{option}/default

Scope Types:

  • system

  • project

Get domain configuration default for either a domain, specific group or a specific option in a group.

identity:ec2_get_credential
Default:

(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s

Operations:

  • GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Scope Types:

  • system

  • project

Show ec2 credential details.

identity:ec2_list_credentials
Default:

(rule:admin_required) or (role:reader and system_scope:all) or rule:owner

Operations:

  • GET /v3/users/{user_id}/credentials/OS-EC2

Scope Types:

  • system

  • project

List ec2 credentials.

identity:ec2_create_credential
Default:

rule:admin_or_owner

Operations:

  • POST /v3/users/{user_id}/credentials/OS-EC2

Scope Types:

  • system

  • project

Create ec2 credential.

identity:ec2_delete_credential
Default:

(rule:admin_required) or user_id:%(target.credential.user_id)s

Operations:

  • DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Scope Types:

  • system

  • project

Delete ec2 credential.

identity:get_endpoint
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Show endpoint details.

identity:list_endpoints
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/endpoints

Scope Types:

  • system

  • project

List endpoints.

identity:create_endpoint
Default:

rule:admin_required

Operations:

  • POST /v3/endpoints

Scope Types:

  • system

  • project

Create endpoint.

identity:update_endpoint
Default:

rule:admin_required

Operations:

  • PATCH /v3/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Update endpoint.

identity:delete_endpoint
Default:

rule:admin_required

Operations:

  • DELETE /v3/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Delete endpoint.

identity:create_endpoint_group
Default:

rule:admin_required

Operations:

  • POST /v3/OS-EP-FILTER/endpoint_groups

Scope Types:

  • system

  • project

Create endpoint group.

identity:list_endpoint_groups
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups

Scope Types:

  • system

  • project

List endpoint groups.

identity:get_endpoint_group
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Scope Types:

  • system

  • project

Get endpoint group.

identity:update_endpoint_group
Default:

rule:admin_required

Operations:

  • PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Scope Types:

  • system

  • project

Update endpoint group.

identity:delete_endpoint_group
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Scope Types:

  • system

  • project

Delete endpoint group.

identity:list_projects_associated_with_endpoint_group
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects

Scope Types:

  • system

  • project

List all projects associated with a specific endpoint group.

identity:list_endpoints_associated_with_endpoint_group
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints

Scope Types:

  • system

  • project

List all endpoints associated with an endpoint group.

identity:get_endpoint_group_in_project
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Scope Types:

  • system

  • project

Check if an endpoint group is associated with a project.

identity:list_endpoint_groups_for_project
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups

Scope Types:

  • system

  • project

List endpoint groups associated with a specific project.

identity:add_endpoint_group_to_project
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Scope Types:

  • system

  • project

Allow a project to access an endpoint group.

identity:remove_endpoint_group_from_project
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Scope Types:

  • system

  • project

Remove endpoint group from project.

identity:check_grant
Default:

(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))

Operations:

  • HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Scope Types:

  • system

  • domain

  • project

Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:list_grants
Default:

(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))

Operations:

  • GET /v3/projects/{project_id}/users/{user_id}/roles

  • HEAD /v3/projects/{project_id}/users/{user_id}/roles

  • GET /v3/projects/{project_id}/groups/{group_id}/roles

  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles

  • GET /v3/domains/{domain_id}/users/{user_id}/roles

  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles

  • GET /v3/domains/{domain_id}/groups/{group_id}/roles

  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles

  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects

Scope Types:

  • system

  • domain

  • project

List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.

identity:create_grant
Default:

(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)

Operations:

  • PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Scope Types:

  • system

  • domain

  • project

Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:revoke_grant
Default:

(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)

Operations:

  • DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}

  • DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

  • DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

  • DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

  • DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

  • DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects

  • DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Scope Types:

  • system

  • domain

  • project

Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.

identity:list_system_grants_for_user
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles

Scope Types:

  • system

  • project

List all grants a specific user has on the system.

identity:check_system_grant_for_user
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles/{role_id}

Scope Types:

  • system

  • project

Check if a user has a role on the system.

identity:create_system_grant_for_user
Default:

rule:admin_required

Operations:

  • [‘PUT’] /v3/system/users/{user_id}/roles/{role_id}

Scope Types:

  • system

  • project

Grant a user a role on the system.

identity:revoke_system_grant_for_user
Default:

rule:admin_required

Operations:

  • [‘DELETE’] /v3/system/users/{user_id}/roles/{role_id}

Scope Types:

  • system

  • project

Remove a role from a user on the system.

identity:list_system_grants_for_group
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles

Scope Types:

  • system

  • project

List all grants a specific group has on the system.

identity:check_system_grant_for_group
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles/{role_id}

Scope Types:

  • system

  • project

Check if a group has a role on the system.

identity:create_system_grant_for_group
Default:

rule:admin_required

Operations:

  • [‘PUT’] /v3/system/groups/{group_id}/roles/{role_id}

Scope Types:

  • system

  • project

Grant a group a role on the system.

identity:revoke_system_grant_for_group
Default:

rule:admin_required

Operations:

  • [‘DELETE’] /v3/system/groups/{group_id}/roles/{role_id}

Scope Types:

  • system

  • project

Remove a role from a group on the system.

identity:get_group
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)

Operations:

  • GET /v3/groups/{group_id}

  • HEAD /v3/groups/{group_id}

Scope Types:

  • system

  • domain

  • project

Show group details.

identity:list_groups
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)

Operations:

  • GET /v3/groups

  • HEAD /v3/groups

Scope Types:

  • system

  • domain

  • project

List groups.

identity:list_groups_for_user
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s

Operations:

  • GET /v3/users/{user_id}/groups

  • HEAD /v3/users/{user_id}/groups

Scope Types:

  • system

  • domain

  • project

List groups to which a user belongs.

identity:create_group
Default:

rule:admin_required

Operations:

  • POST /v3/groups

Scope Types:

  • system

  • domain

  • project

Create group.

identity:update_group
Default:

rule:admin_required

Operations:

  • PATCH /v3/groups/{group_id}

Scope Types:

  • system

  • domain

  • project

Update group.

identity:delete_group
Default:

rule:admin_required

Operations:

  • DELETE /v3/groups/{group_id}

Scope Types:

  • system

  • domain

  • project

Delete group.

identity:list_users_in_group
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)

Operations:

  • GET /v3/groups/{group_id}/users

  • HEAD /v3/groups/{group_id}/users

Scope Types:

  • system

  • domain

  • project

List members of a specific group.

identity:remove_user_from_group
Default:

rule:admin_required

Operations:

  • DELETE /v3/groups/{group_id}/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Remove user from group.

identity:check_user_in_group
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)

Operations:

  • HEAD /v3/groups/{group_id}/users/{user_id}

  • GET /v3/groups/{group_id}/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Check whether a user is a member of a group.

identity:add_user_to_group
Default:

rule:admin_required

Operations:

  • PUT /v3/groups/{group_id}/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Add user to group.

identity:create_identity_provider
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

  • project

Create identity provider.

identity:list_identity_providers
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/identity_providers

  • HEAD /v3/OS-FEDERATION/identity_providers

Scope Types:

  • system

  • project

List identity providers.

identity:get_identity_provider
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}

  • HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

  • project

Get identity provider.

identity:update_identity_provider
Default:

rule:admin_required

Operations:

  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

  • project

Update identity provider.

identity:delete_identity_provider
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}

Scope Types:

  • system

  • project

Delete identity provider.

identity:get_implied_role
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

  • project

Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:list_implied_roles
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/roles/{prior_role_id}/implies

  • HEAD /v3/roles/{prior_role_id}/implies

Scope Types:

  • system

  • project

List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.

identity:create_implied_role
Default:

rule:admin_required

Operations:

  • PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

  • project

Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:delete_implied_role
Default:

rule:admin_required

Operations:

  • DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

  • project

Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.

identity:list_role_inference_rules
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/role_inferences

  • HEAD /v3/role_inferences

Scope Types:

  • system

  • project

List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:check_implied_role
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}

Scope Types:

  • system

  • project

Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:get_limit_model
Default:

<empty string>

Operations:

  • GET /v3/limits/model

  • HEAD /v3/limits/model

Scope Types:

  • system

  • domain

  • project

Get limit enforcement model.

identity:get_limit
Default:

rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)

Operations:

  • GET /v3/limits/{limit_id}

  • HEAD /v3/limits/{limit_id}

Scope Types:

  • system

  • domain

  • project

Show limit details.

identity:list_limits
Default:

<empty string>

Operations:

  • GET /v3/limits

  • HEAD /v3/limits

Scope Types:

  • system

  • domain

  • project

List limits.

identity:create_limits
Default:

rule:admin_required

Operations:

  • POST /v3/limits

Scope Types:

  • system

  • project

Create limits.

identity:update_limit
Default:

rule:admin_required

Operations:

  • PATCH /v3/limits/{limit_id}

Scope Types:

  • system

  • project

Update limit.

identity:delete_limit
Default:

rule:admin_required

Operations:

  • DELETE /v3/limits/{limit_id}

Scope Types:

  • system

  • project

Delete limit.

identity:create_mapping
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

  • project

Create a new federated mapping containing one or more sets of rules.

identity:get_mapping
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/mappings/{mapping_id}

  • HEAD /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

  • project

Get a federated mapping.

identity:list_mappings
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/mappings

  • HEAD /v3/OS-FEDERATION/mappings

Scope Types:

  • system

  • project

List federated mappings.

identity:delete_mapping
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

  • project

Delete a federated mapping.

identity:update_mapping
Default:

rule:admin_required

Operations:

  • PATCH /v3/OS-FEDERATION/mappings/{mapping_id}

Scope Types:

  • system

  • project

Update a federated mapping.

identity:get_policy
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/policies/{policy_id}

Scope Types:

  • system

  • project

Show policy details.

identity:list_policies
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/policies

Scope Types:

  • system

  • project

List policies.

identity:create_policy
Default:

rule:admin_required

Operations:

  • POST /v3/policies

Scope Types:

  • system

  • project

Create policy.

identity:update_policy
Default:

rule:admin_required

Operations:

  • PATCH /v3/policies/{policy_id}

Scope Types:

  • system

  • project

Update policy.

identity:delete_policy
Default:

rule:admin_required

Operations:

  • DELETE /v3/policies/{policy_id}

Scope Types:

  • system

  • project

Delete policy.

identity:create_policy_association_for_endpoint
Default:

rule:admin_required

Operations:

  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Associate a policy to a specific endpoint.

identity:check_policy_association_for_endpoint
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Check policy association for endpoint.

identity:delete_policy_association_for_endpoint
Default:

rule:admin_required

Operations:

  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Delete policy association for endpoint.

identity:create_policy_association_for_service
Default:

rule:admin_required

Operations:

  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Scope Types:

  • system

  • project

Associate a policy to a specific service.

identity:check_policy_association_for_service
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Scope Types:

  • system

  • project

Check policy association for service.

identity:delete_policy_association_for_service
Default:

rule:admin_required

Operations:

  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Scope Types:

  • system

  • project

Delete policy association for service.

identity:create_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:

  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Scope Types:

  • system

  • project

Associate a policy to a specific region and service combination.

identity:check_policy_association_for_region_and_service
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Scope Types:

  • system

  • project

Check policy association for region and service.

identity:delete_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:

  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Scope Types:

  • system

  • project

Delete policy association for region and service.

identity:get_policy_for_endpoint
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

  • HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

Scope Types:

  • system

  • project

Get policy for endpoint.

identity:list_endpoints_for_policy
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

Scope Types:

  • system

  • project

List endpoints for policy.

identity:get_project
Default:

(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s

Operations:

  • GET /v3/projects/{project_id}

Scope Types:

  • system

  • domain

  • project

Show project details.

identity:list_projects
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/projects

Scope Types:

  • system

  • domain

  • project

List projects.

identity:list_user_projects
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}/projects

Scope Types:

  • system

  • domain

  • project

List projects for user.

identity:create_project
Default:

rule:admin_required

Operations:

  • POST /v3/projects

Scope Types:

  • system

  • domain

  • project

Create project.

identity:update_project
Default:

rule:admin_required

Operations:

  • PATCH /v3/projects/{project_id}

Scope Types:

  • system

  • domain

  • project

Update project.

identity:delete_project
Default:

rule:admin_required

Operations:

  • DELETE /v3/projects/{project_id}

Scope Types:

  • system

  • domain

  • project

Delete project.

identity:list_project_tags
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s

Operations:

  • GET /v3/projects/{project_id}/tags

  • HEAD /v3/projects/{project_id}/tags

Scope Types:

  • system

  • domain

  • project

List tags for a project.

identity:get_project_tag
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s

Operations:

  • GET /v3/projects/{project_id}/tags/{value}

  • HEAD /v3/projects/{project_id}/tags/{value}

Scope Types:

  • system

  • domain

  • project

Check if project contains a tag.

identity:update_project_tags
Default:

rule:admin_required

Operations:

  • PUT /v3/projects/{project_id}/tags

Scope Types:

  • system

  • domain

  • project

Replace all tags on a project with the new set of tags.

identity:create_project_tag
Default:

rule:admin_required

Operations:

  • PUT /v3/projects/{project_id}/tags/{value}

Scope Types:

  • system

  • domain

  • project

Add a single tag to a project.

identity:delete_project_tags
Default:

rule:admin_required

Operations:

  • DELETE /v3/projects/{project_id}/tags

Scope Types:

  • system

  • domain

  • project

Remove all tags from a project.

identity:delete_project_tag
Default:

rule:admin_required

Operations:

  • DELETE /v3/projects/{project_id}/tags/{value}

Scope Types:

  • system

  • domain

  • project

Delete a specified tag from project.

identity:list_projects_for_endpoint
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects

Scope Types:

  • system

  • project

List projects allowed to access an endpoint.

identity:add_endpoint_to_project
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Allow project to access an endpoint.

identity:check_endpoint_in_project
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

  • HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Check if a project is allowed to access an endpoint.

identity:list_endpoints_for_project
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints

Scope Types:

  • system

  • project

List the endpoints a project is allowed to access.

identity:remove_endpoint_from_project
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Scope Types:

  • system

  • project

Remove access to an endpoint from a project that has previously been given explicit access.

identity:create_protocol
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

  • project

Create federated protocol.

identity:update_protocol
Default:

rule:admin_required

Operations:

  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

  • project

Update federated protocol.

identity:get_protocol
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

  • project

Get federated protocol.

identity:list_protocols
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

Scope Types:

  • system

  • project

List federated protocols.

identity:delete_protocol
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Scope Types:

  • system

  • project

Delete federated protocol.

identity:get_region
Default:

<empty string>

Operations:

  • GET /v3/regions/{region_id}

  • HEAD /v3/regions/{region_id}

Scope Types:

  • system

  • domain

  • project

Show region details.

identity:list_regions
Default:

<empty string>

Operations:

  • GET /v3/regions

  • HEAD /v3/regions

Scope Types:

  • system

  • domain

  • project

List regions.

identity:create_region
Default:

rule:admin_required

Operations:

  • POST /v3/regions

  • PUT /v3/regions/{region_id}

Scope Types:

  • system

  • project

Create region.

identity:update_region
Default:

rule:admin_required

Operations:

  • PATCH /v3/regions/{region_id}

Scope Types:

  • system

  • project

Update region.

identity:delete_region
Default:

rule:admin_required

Operations:

  • DELETE /v3/regions/{region_id}

Scope Types:

  • system

  • project

Delete region.

identity:get_registered_limit
Default:

<empty string>

Operations:

  • GET /v3/registered_limits/{registered_limit_id}

  • HEAD /v3/registered_limits/{registered_limit_id}

Scope Types:

  • system

  • domain

  • project

Show registered limit details.

identity:list_registered_limits
Default:

<empty string>

Operations:

  • GET /v3/registered_limits

  • HEAD /v3/registered_limits

Scope Types:

  • system

  • domain

  • project

List registered limits.

identity:create_registered_limits
Default:

rule:admin_required

Operations:

  • POST /v3/registered_limits

Scope Types:

  • system

  • project

Create registered limits.

identity:update_registered_limit
Default:

rule:admin_required

Operations:

  • PATCH /v3/registered_limits/{registered_limit_id}

Scope Types:

  • system

  • project

Update registered limit.

identity:delete_registered_limit
Default:

rule:admin_required

Operations:

  • DELETE /v3/registered_limits/{registered_limit_id}

Scope Types:

  • system

  • project

Delete registered limit.

identity:list_revoke_events
Default:

rule:service_or_admin

Operations:

  • GET /v3/OS-REVOKE/events

Scope Types:

  • system

  • project

List revocation events.

identity:get_role
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/roles/{role_id}

  • HEAD /v3/roles/{role_id}

Scope Types:

  • system

  • project

Show role details.

identity:list_roles
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/roles

  • HEAD /v3/roles

Scope Types:

  • system

  • project

List roles.

identity:create_role
Default:

rule:admin_required

Operations:

  • POST /v3/roles

Scope Types:

  • system

  • project

Create role.

identity:update_role
Default:

rule:admin_required

Operations:

  • PATCH /v3/roles/{role_id}

Scope Types:

  • system

  • project

Update role.

identity:delete_role
Default:

rule:admin_required

Operations:

  • DELETE /v3/roles/{role_id}

Scope Types:

  • system

  • project

Delete role.

identity:get_domain_role
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/roles/{role_id}

  • HEAD /v3/roles/{role_id}

Scope Types:

  • system

  • project

Show domain role.

identity:list_domain_roles
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/roles?domain_id={domain_id}

  • HEAD /v3/roles?domain_id={domain_id}

Scope Types:

  • system

  • project

List domain roles.

identity:create_domain_role
Default:

rule:admin_required

Operations:

  • POST /v3/roles

Scope Types:

  • system

  • project

Create domain role.

identity:update_domain_role
Default:

rule:admin_required

Operations:

  • PATCH /v3/roles/{role_id}

Scope Types:

  • system

  • project

Update domain role.

identity:delete_domain_role
Default:

rule:admin_required

Operations:

  • DELETE /v3/roles/{role_id}

Scope Types:

  • system

  • project

Delete domain role.

identity:list_role_assignments
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/role_assignments

  • HEAD /v3/role_assignments

Scope Types:

  • system

  • domain

  • project

List role assignments.

identity:list_role_assignments_for_tree
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/role_assignments?include_subtree

  • HEAD /v3/role_assignments?include_subtree

Scope Types:

  • system

  • domain

  • project

List all role assignments for a given tree of hierarchical projects.

identity:s3tokens_validate
Default:

rule:service_or_admin

Operations:

  • POST /v3/s3tokens

Scope Types:

  • system

  • domain

  • project

Validate S3 credentials and create a Keystone token. Restricted to service users or administrators to prevent exploitation via presigned URLs.

identity:ec2tokens_validate
Default:

rule:service_or_admin

Operations:

  • POST /v3/ec2tokens

Scope Types:

  • system

  • domain

  • project

Validate EC2 credentials and create a Keystone token. Restricted to service users or administrators.

identity:get_service
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/services/{service_id}

Scope Types:

  • system

  • project

Show service details.

identity:list_services
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/services

Scope Types:

  • system

  • project

List services.

identity:create_service
Default:

rule:admin_required

Operations:

  • POST /v3/services

Scope Types:

  • system

  • project

Create service.

identity:update_service
Default:

rule:admin_required

Operations:

  • PATCH /v3/services/{service_id}

Scope Types:

  • system

  • project

Update service.

identity:delete_service
Default:

rule:admin_required

Operations:

  • DELETE /v3/services/{service_id}

Scope Types:

  • system

  • project

Delete service.

identity:create_service_provider
Default:

rule:admin_required

Operations:

  • PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

  • project

Create federated service provider.

identity:list_service_providers
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/service_providers

  • HEAD /v3/OS-FEDERATION/service_providers

Scope Types:

  • system

  • project

List federated service providers.

identity:get_service_provider
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-FEDERATION/service_providers/{service_provider_id}

  • HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

  • project

Get federated service provider.

identity:update_service_provider
Default:

rule:admin_required

Operations:

  • PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

  • project

Update federated service provider.

identity:delete_service_provider
Default:

rule:admin_required

Operations:

  • DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}

Scope Types:

  • system

  • project

Delete federated service provider.

identity:revocation_list
Default:

rule:service_or_admin

Operations:

  • GET /v3/auth/tokens/OS-PKI/revoked

Scope Types:

  • system

  • project

List revoked PKI tokens.

identity:check_token
Default:

rule:admin_required or (role:reader and system_scope:all) or rule:token_subject

Operations:

  • HEAD /v3/auth/tokens

Scope Types:

  • system

  • domain

  • project

Check a token.

identity:validate_token
Default:

rule:admin_required or (role:reader and system_scope:all) or rule:service_role or rule:token_subject

Operations:

  • GET /v3/auth/tokens

Scope Types:

  • system

  • domain

  • project

Validate a token.

identity:revoke_token
Default:

rule:admin_required or rule:token_subject

Operations:

  • DELETE /v3/auth/tokens

Scope Types:

  • system

  • domain

  • project

Revoke a token.

identity:create_trust
Default:

user_id:%(trust.trustor_user_id)s

Operations:

  • POST /v3/OS-TRUST/trusts

Scope Types:

  • project

Create trust.

identity:list_trusts
Default:

rule:admin_required or (role:reader and system_scope:all)

Operations:

  • GET /v3/OS-TRUST/trusts

  • HEAD /v3/OS-TRUST/trusts

Scope Types:

  • system

  • project

List trusts.

identity:list_trusts_for_trustor
Default:

(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)

Operations:

  • GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}

  • HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}

Scope Types:

  • system

  • project

List trusts for trustor.

identity:list_trusts_for_trustee
Default:

(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)

Operations:

  • GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}

  • HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}

Scope Types:

  • system

  • project

List trusts for trustee.

identity:list_roles_for_trust
Default:

(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)

Operations:

  • GET /v3/OS-TRUST/trusts/{trust_id}/roles

  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles

Scope Types:

  • system

  • project

List roles delegated by a trust.

identity:get_role_for_trust
Default:

(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)

Operations:

  • GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}

  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}

Scope Types:

  • system

  • project

Check if trust delegates a particular role.

identity:delete_trust
Default:

rule:admin_required or user_id:%(target.trust.trustor_user_id)s

Operations:

  • DELETE /v3/OS-TRUST/trusts/{trust_id}

Scope Types:

  • system

  • project

Revoke trust.

identity:get_trust
Default:

(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)

Operations:

  • GET /v3/OS-TRUST/trusts/{trust_id}

  • HEAD /v3/OS-TRUST/trusts/{trust_id}

Scope Types:

  • system

  • project

Get trust.

identity:get_user
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s

Operations:

  • GET /v3/users/{user_id}

  • HEAD /v3/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Show user details.

identity:list_users
Default:

(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)

Operations:

  • GET /v3/users

  • HEAD /v3/users

Scope Types:

  • system

  • domain

  • project

List users.

identity:list_projects_for_user
Default:

<empty string>

Operations:

  • GET `` /v3/auth/projects``

List all projects a user has access to via role assignments.

identity:list_domains_for_user
Default:

<empty string>

Operations:

  • GET /v3/auth/domains

List all domains a user has access to via role assignments.

identity:create_user
Default:

rule:admin_required

Operations:

  • POST /v3/users

Scope Types:

  • system

  • domain

  • project

Create a user.

identity:update_user
Default:

rule:admin_required

Operations:

  • PATCH /v3/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Update a user, including administrative password resets.

identity:delete_user
Default:

rule:admin_required

Operations:

  • DELETE /v3/users/{user_id}

Scope Types:

  • system

  • domain

  • project

Delete a user.

updated: 2025-11-11 08:19
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

questions?