policy.yaml

policy.yaml

Use the policy.yaml file to define additional access controls that apply to the Identity service:

#
#"admin_required": "role:admin or is_admin:1"

#
#"service_role": "role:service"

#
#"service_or_admin": "rule:admin_required or rule:service_role"

#
#"owner": "user_id:%(user_id)s"

#
#"admin_or_owner": "rule:admin_required or rule:owner"

#
#"token_subject": "user_id:%(target.token.user_id)s"

#
#"admin_or_token_subject": "rule:admin_required or rule:token_subject"

#
#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"

# Show application credential details.
# GET  /v3/users/{user_id}/application_credentials/{application_credential_id}
# HEAD  /v3/users/{user_id}/application_credentials/{application_credential_id}
#"identity:get_application_credential": "rule:admin_or_owner"

# List application credentials for a user.
# GET  /v3/users/{user_id}/application_credentials
# HEAD  /v3/users/{user_id}/application_credentials
#"identity:list_application_credentials": "rule:admin_or_owner"

# Create an application credential.
# POST  /v3/users/{user_id}/application_credentials
#"identity:create_application_credential": "rule:admin_or_owner"

# Delete an application credential.
# DELETE  /v3/users/{user_id}/application_credentials/{application_credential_id}
#"identity:delete_application_credential": "rule:admin_or_owner"

# Authorize OAUTH1 request token.
# PUT  /v3/OS-OAUTH1/authorize/{request_token_id}
# Intended scope(s): project
#"identity:authorize_request_token": "rule:admin_required"

# Get OAUTH1 access token for user by access token ID.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:get_access_token": "rule:admin_required"

# Get role for user OAUTH1 access token.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_access_token_role": "rule:admin_required"

# List OAUTH1 access tokens for user.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens
# Intended scope(s): project
#"identity:list_access_tokens": "rule:admin_required"

# List OAUTH1 access token roles.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
# Intended scope(s): project
#"identity:list_access_token_roles": "rule:admin_required"

# Delete OAUTH1 access token.
# DELETE  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:delete_access_token": "rule:admin_required"

# Get service catalog.
# GET  /v3/auth/catalog
# HEAD  /v3/auth/catalog
#"identity:get_auth_catalog": ""

# List all projects a user has access to via role assignments.
# GET  /v3/auth/projects
# HEAD  /v3/auth/projects
#"identity:get_auth_projects": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
# HEAD  /v3/auth/domains
#"identity:get_auth_domains": ""

# List systems a user has access to via role assignments.
# GET  /v3/auth/system
# HEAD  /v3/auth/system
#"identity:get_auth_system": ""

# Show OAUTH1 consumer details.
# GET  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:get_consumer": "rule:admin_required"

# List OAUTH1 consumers.
# GET  /v3/OS-OAUTH1/consumers
# Intended scope(s): system
#"identity:list_consumers": "rule:admin_required"

# Create OAUTH1 consumer.
# POST  /v3/OS-OAUTH1/consumers
# Intended scope(s): system
#"identity:create_consumer": "rule:admin_required"

# Update OAUTH1 consumer.
# PATCH  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:update_consumer": "rule:admin_required"

# Delete OAUTH1 consumer.
# DELETE  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system
#"identity:delete_consumer": "rule:admin_required"

# Show credentials details.
# GET  /v3/credentials/{credential_id}
# Intended scope(s): system, project
#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED "identity:get_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:get_credential":"(role:reader and system_scope:all) or
# user_id:%(target.credential.user_id)s". As of the Stein release, the
# credential API now understands how to handle system-scoped tokens in
# addition to project-scoped tokens, making the API more accessible to
# users without compromising security or manageability for
# administrators. The new default policies for this API account for
# these changes automatically.
# List credentials.
# GET  /v3/credentials
# Intended scope(s): system, project
#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED "identity:list_credentials":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_credentials":"(role:reader and system_scope:all) or
# user_id:%(target.credential.user_id)s". As of the Stein release, the
# credential API now understands how to handle system-scoped tokens in
# addition to project-scoped tokens, making the API more accessible to
# users without compromising security or manageability for
# administrators. The new default policies for this API account for
# these changes automatically.
# Create credential.
# POST  /v3/credentials
# Intended scope(s): system, project
#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED "identity:create_credential":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_credential":"(role:admin and system_scope:all) or
# user_id:%(target.credential.user_id)s". As of the Stein release, the
# credential API now understands how to handle system-scoped tokens in
# addition to project-scoped tokens, making the API more accessible to
# users without compromising security or manageability for
# administrators. The new default policies for this API account for
# these changes automatically.
# Update credential.
# PATCH  /v3/credentials/{credential_id}
# Intended scope(s): system, project
#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED "identity:update_credential":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:update_credential":"(role:admin and system_scope:all) or
# user_id:%(target.credential.user_id)s". As of the Stein release, the
# credential API now understands how to handle system-scoped tokens in
# addition to project-scoped tokens, making the API more accessible to
# users without compromising security or manageability for
# administrators. The new default policies for this API account for
# these changes automatically.
# Delete credential.
# DELETE  /v3/credentials/{credential_id}
# Intended scope(s): system, project
#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED "identity:delete_credential":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:delete_credential":"(role:admin and system_scope:all) or
# user_id:%(target.credential.user_id)s". As of the Stein release, the
# credential API now understands how to handle system-scoped tokens in
# addition to project-scoped tokens, making the API more accessible to
# users without compromising security or manageability for
# administrators. The new default policies for this API account for
# these changes automatically.
# Show domain details.
# GET  /v3/domains/{domain_id}
# Intended scope(s): system, domain, project
#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"

# DEPRECATED "identity:get_domain":"rule:admin_required or
# token.project.domain.id:%(target.domain.id)s" has been deprecated
# since S in favor of "identity:get_domain":"(role:reader and
# system_scope:all) or token.domain.id:%(target.domain.id)s or
# token.project.domain.id:%(target.domain.id)s".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
# List domains.
# GET  /v3/domains
# Intended scope(s): system
#"identity:list_domains": "role:reader and system_scope:all"

# DEPRECATED "identity:list_domains":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_domains":"role:reader
# and system_scope:all".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
# Create domain.
# POST  /v3/domains
# Intended scope(s): system
#"identity:create_domain": "role:admin and system_scope:all"

# DEPRECATED "identity:create_domain":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_domain":"role:admin
# and system_scope:all".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
# Update domain.
# PATCH  /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:update_domain": "role:admin and system_scope:all"

# DEPRECATED "identity:update_domain":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_domain":"role:admin
# and system_scope:all".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
# Delete domain.
# DELETE  /v3/domains/{domain_id}
# Intended scope(s): system
#"identity:delete_domain": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_domain":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_domain":"role:admin
# and system_scope:all".
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
# Create domain configuration.
# PUT  /v3/domains/{domain_id}/config
# Intended scope(s): system
#"identity:create_domain_config": "rule:admin_required"

# Get the entire domain configuration for a domain, an option group
# within a domain, or a specific configuration option within a group
# for a domain.
# GET  /v3/domains/{domain_id}/config
# HEAD  /v3/domains/{domain_id}/config
# GET  /v3/domains/{domain_id}/config/{group}
# HEAD  /v3/domains/{domain_id}/config/{group}
# GET  /v3/domains/{domain_id}/config/{group}/{option}
# HEAD  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:get_domain_config": "rule:admin_required"

# Get security compliance domain configuration for either a domain or
# a specific option in a domain.
# GET  /v3/domains/{domain_id}/config/security_compliance
# HEAD  /v3/domains/{domain_id}/config/security_compliance
# GET  v3/domains/{domain_id}/config/security_compliance/{option}
# HEAD  v3/domains/{domain_id}/config/security_compliance/{option}
# Intended scope(s): system, project
#"identity:get_security_compliance_domain_config": ""

# Update domain configuration for either a domain, specific group or a
# specific option in a group.
# PATCH  /v3/domains/{domain_id}/config
# PATCH  /v3/domains/{domain_id}/config/{group}
# PATCH  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:update_domain_config": "rule:admin_required"

# Delete domain configuration for either a domain, specific group or a
# specific option in a group.
# DELETE  /v3/domains/{domain_id}/config
# DELETE  /v3/domains/{domain_id}/config/{group}
# DELETE  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system
#"identity:delete_domain_config": "rule:admin_required"

# Get domain configuration default for either a domain, specific group
# or a specific option in a group.
# GET  /v3/domains/config/default
# HEAD  /v3/domains/config/default
# GET  /v3/domains/config/{group}/default
# HEAD  /v3/domains/config/{group}/default
# GET  /v3/domains/config/{group}/{option}/default
# HEAD  /v3/domains/config/{group}/{option}/default
# Intended scope(s): system
#"identity:get_domain_config_default": "rule:admin_required"

# Show ec2 credential details.
# GET  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"

# List ec2 credentials.
# GET  /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_list_credentials": "rule:admin_or_owner"

# Create ec2 credential.
# POST  /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_create_credential": "rule:admin_or_owner"

# Delete ec2 credential.
# DELETE  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"

# Show endpoint details.
# GET  /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:get_endpoint": "role:reader and system_scope:all"

# DEPRECATED "identity:get_endpoint":"rule:admin_required" has been
# deprecated since S in favor of "identity:get_endpoint":"role:reader
# and system_scope:all".
#
# As of the Stein release, the endpoint API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the endpoint API.
# List endpoints.
# GET  /v3/endpoints
# Intended scope(s): system
#"identity:list_endpoints": "role:reader and system_scope:all"

# DEPRECATED "identity:list_endpoints":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_endpoints":"role:reader and system_scope:all".
#
# As of the Stein release, the endpoint API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the endpoint API.
# Create endpoint.
# POST  /v3/endpoints
# Intended scope(s): system
#"identity:create_endpoint": "role:admin and system_scope:all"

# DEPRECATED "identity:create_endpoint":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_endpoint":"role:admin and system_scope:all".
#
# As of the Stein release, the endpoint API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the endpoint API.
# Update endpoint.
# PATCH  /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:update_endpoint": "role:admin and system_scope:all"

# DEPRECATED "identity:update_endpoint":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_endpoint":"role:admin and system_scope:all".
#
# As of the Stein release, the endpoint API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the endpoint API.
# Delete endpoint.
# DELETE  /v3/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:delete_endpoint": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_endpoint":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_endpoint":"role:admin and system_scope:all".
#
# As of the Stein release, the endpoint API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the endpoint API.
# Create endpoint group.
# POST  /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system
#"identity:create_endpoint_group": "rule:admin_required"

# List endpoint groups.
# GET  /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system
#"identity:list_endpoint_groups": "rule:admin_required"

# Get endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:get_endpoint_group": "rule:admin_required"

# Update endpoint group.
# PATCH  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:update_endpoint_group": "rule:admin_required"

# Delete endpoint group.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system
#"identity:delete_endpoint_group": "rule:admin_required"

# List all projects associated with a specific endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
# Intended scope(s): system
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required"

# List all endpoints associated with an endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
# Intended scope(s): system
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"

# Check if an endpoint group is associated with a project.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:get_endpoint_group_in_project": "rule:admin_required"

# List endpoint groups associated with a specific project.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
# Intended scope(s): system
#"identity:list_endpoint_groups_for_project": "rule:admin_required"

# Allow a project to access an endpoint group.
# PUT  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:add_endpoint_group_to_project": "rule:admin_required"

# Remove endpoint group from project.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system
#"identity:remove_endpoint_group_from_project": "rule:admin_required"

# Check a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# HEAD  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# GET  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# HEAD  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# GET  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# HEAD  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# GET  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# HEAD  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# GET  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# HEAD  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:check_grant": "role:reader and system_scope:all"

# DEPRECATED "identity:check_grant":"rule:admin_required" has been
# deprecated since S in favor of "identity:check_grant":"role:reader
# and system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# List roles granted to an actor on a target. A target can be either a
# domain or a project. An actor can be either a user or a group. For
# the OS-INHERIT APIs, it is possible to list inherited role grants
# for actors on domains, where grants are inherited to all projects in
# the specified domain.
# GET  /v3/projects/{project_id}/users/{user_id}/roles
# HEAD  /v3/projects/{project_id}/users/{user_id}/roles
# GET  /v3/projects/{project_id}/groups/{group_id}/roles
# HEAD  /v3/projects/{project_id}/groups/{group_id}/roles
# GET  /v3/domains/{domain_id}/users/{user_id}/roles
# HEAD  /v3/domains/{domain_id}/users/{user_id}/roles
# GET  /v3/domains/{domain_id}/groups/{group_id}/roles
# HEAD  /v3/domains/{domain_id}/groups/{group_id}/roles
# GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
# Intended scope(s): system
#"identity:list_grants": "role:reader and system_scope:all"

# DEPRECATED "identity:list_grants":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_grants":"role:reader
# and system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Create a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# PUT  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# PUT  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# PUT  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# PUT  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# PUT  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:create_grant": "role:admin and system_scope:all"

# DEPRECATED "identity:create_grant":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_grant":"role:admin
# and system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Revoke a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable. In that case, revoking the role grant in the target
# would remove the logical effect of inheriting it to the target's
# projects subtree.
# DELETE  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# DELETE  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# DELETE  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# DELETE  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# DELETE  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system
#"identity:revoke_grant": "role:admin and system_scope:all"

# DEPRECATED "identity:revoke_grant":"rule:admin_required" has been
# deprecated since S in favor of "identity:revoke_grant":"role:admin
# and system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# List all grants a specific user has on the system.
# ['HEAD', 'GET']  /v3/system/users/{user_id}/roles
# Intended scope(s): system
#"identity:list_system_grants_for_user": "role:reader and system_scope:all"

# DEPRECATED
# "identity:list_system_grants_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_system_grants_for_user":"role:reader and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Check if a user has a role on the system.
# ['HEAD', 'GET']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:check_system_grant_for_user": "role:reader and system_scope:all"

# DEPRECATED
# "identity:check_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_system_grant_for_user":"role:reader and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Grant a user a role on the system.
# ['PUT']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:create_system_grant_for_user": "role:admin and system_scope:all"

# DEPRECATED
# "identity:create_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_system_grant_for_user":"role:admin and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Remove a role from a user on the system.
# ['DELETE']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system
#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all"

# DEPRECATED
# "identity:revoke_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:revoke_system_grant_for_user":"role:admin and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# List all grants a specific group has on the system.
# ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles
# Intended scope(s): system
#"identity:list_system_grants_for_group": "role:reader and system_scope:all"

# DEPRECATED
# "identity:list_system_grants_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_system_grants_for_group":"role:reader and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Check if a group has a role on the system.
# ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:check_system_grant_for_group": "role:reader and system_scope:all"

# DEPRECATED
# "identity:check_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_system_grant_for_group":"role:reader and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Grant a group a role on the system.
# ['PUT']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:create_system_grant_for_group": "role:admin and system_scope:all"

# DEPRECATED
# "identity:create_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_system_grant_for_group":"role:admin and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Remove a role from a group on the system.
# ['DELETE']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system
#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all"

# DEPRECATED
# "identity:revoke_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:revoke_system_grant_for_group":"role:admin and
# system_scope:all".
#
# As of the Stein release, the assignment API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the system assignment API.
# Show group details.
# GET  /v3/groups/{group_id}
# HEAD  /v3/groups/{group_id}
# Intended scope(s): system, domain
#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"

# DEPRECATED "identity:get_group":"rule:admin_required" has been
# deprecated since S in favor of "identity:get_group":"(role:reader
# and system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List groups.
# GET  /v3/groups
# HEAD  /v3/groups
# Intended scope(s): system, domain
#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"

# DEPRECATED "identity:list_groups":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_groups":"(role:reader
# and system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List groups to which a user belongs.
# GET  /v3/users/{user_id}/groups
# HEAD  /v3/users/{user_id}/groups
# Intended scope(s): system, domain, project
#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"

# DEPRECATED "identity:list_groups_for_user":"rule:admin_or_owner" has
# been deprecated since S in favor of
# "identity:list_groups_for_user":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.user.domain_id)s) or
# user_id:%(user_id)s".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Create group.
# POST  /v3/groups
# Intended scope(s): system, domain
#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"

# DEPRECATED "identity:create_group":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_group":"(role:admin
# and system_scope:all) or (role:admin and
# domain_id:%(target.group.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Update group.
# PATCH  /v3/groups/{group_id}
# Intended scope(s): system, domain
#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"

# DEPRECATED "identity:update_group":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_group":"(role:admin
# and system_scope:all) or (role:admin and
# domain_id:%(target.group.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Delete group.
# DELETE  /v3/groups/{group_id}
# Intended scope(s): system, domain
#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"

# DEPRECATED "identity:delete_group":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_group":"(role:admin
# and system_scope:all) or (role:admin and
# domain_id:%(target.group.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List members of a specific group.
# GET  /v3/groups/{group_id}/users
# HEAD  /v3/groups/{group_id}/users
# Intended scope(s): system, domain
#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"

# DEPRECATED "identity:list_users_in_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_users_in_group":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.group.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Remove user from group.
# DELETE  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system, domain
#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"

# DEPRECATED "identity:remove_user_from_group":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:remove_user_from_group":"(role:admin and system_scope:all)
# or (role:admin and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Check whether a user is a member of a group.
# HEAD  /v3/groups/{group_id}/users/{user_id}
# GET  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system, domain
#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"

# DEPRECATED "identity:check_user_in_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_user_in_group":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Add user to group.
# PUT  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system, domain
#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"

# DEPRECATED "identity:add_user_to_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:add_user_to_group":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
#
# As of the Stein release, the group API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Create identity provider.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:create_identity_provider": "role:admin and system_scope:all"

# DEPRECATED "identity:create_identity_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:create_identity_provider":"role:admin and
# system_scope:all".
#
# As of the Stein release, the identity provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the identity provider API.
# List identity providers.
# GET  /v3/OS-FEDERATION/identity_providers
# HEAD  /v3/OS-FEDERATION/identity_providers
# Intended scope(s): system
#"identity:list_identity_providers": "role:reader and system_scope:all"

# DEPRECATED "identity:list_identity_providers":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:list_identity_providers":"role:reader and
# system_scope:all".
#
# As of the Stein release, the identity provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the identity provider API.
# Get identity provider.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}
# HEAD  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:get_identity_provider": "role:reader and system_scope:all"

# DEPRECATED "identity:get_identity_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:get_identity_provider":"role:reader and system_scope:all".
#
# As of the Stein release, the identity provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the identity provider API.
# Update identity provider.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:update_identity_provider": "role:admin and system_scope:all"

# DEPRECATED "identity:update_identity_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:update_identity_provider":"role:admin and
# system_scope:all".
#
# As of the Stein release, the identity provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the identity provider API.
# Delete identity provider.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system
#"identity:delete_identity_provider": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_identity_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:delete_identity_provider":"role:admin and
# system_scope:all".
#
# As of the Stein release, the identity provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the identity provider API.
# Get information about an association between two roles. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:get_implied_role": "rule:admin_required"

# List associations between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. This
# will return all the implied roles that would be assumed by the user
# who gets the specified prior role.
# GET  /v3/roles/{prior_role_id}/implies
# HEAD  /v3/roles/{prior_role_id}/implies
# Intended scope(s): system
#"identity:list_implied_roles": "rule:admin_required"

# Create an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# PUT  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:create_implied_role": "rule:admin_required"

# Delete the association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. Removing
# the association will cause that effect to be eliminated.
# DELETE  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:delete_implied_role": "rule:admin_required"

# List all associations between two roles in the system. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET  /v3/role_inferences
# HEAD  /v3/role_inferences
# Intended scope(s): system
#"identity:list_role_inference_rules": "rule:admin_required"

# Check an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# HEAD  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system
#"identity:check_implied_role": "rule:admin_required"

# Get limit enforcement model.
# GET  /v3/limits/model
# HEAD  /v3/limits/model
# Intended scope(s): system, project
#"identity:get_limit_model": ""

# Show limit details.
# GET  /v3/limits/{limit_id}
# HEAD  /v3/limits/{limit_id}
# Intended scope(s): system, project, domain
#"identity:get_limit": "(role:reader and system_scope:all) or project_id:%(target.limit.project_id)s or domain_id:%(target.limit.domain_id)s"

# List limits.
# GET  /v3/limits
# HEAD  /v3/limits
# Intended scope(s): system, project
#"identity:list_limits": ""

# Create limits.
# POST  /v3/limits
# Intended scope(s): system
#"identity:create_limits": "role:admin and system_scope:all"

# Update limit.
# PATCH  /v3/limits/{limit_id}
# Intended scope(s): system
#"identity:update_limit": "role:admin and system_scope:all"

# Delete limit.
# DELETE  /v3/limits/{limit_id}
# Intended scope(s): system
#"identity:delete_limit": "role:admin and system_scope:all"

# Create a new federated mapping containing one or more sets of rules.
# PUT  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:create_mapping": "role:admin and system_scope:all"

# DEPRECATED "identity:create_mapping":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_mapping":"role:admin
# and system_scope:all".
#
# As of the Stein release, the federated mapping API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the federated mapping API.
# Get a federated mapping.
# GET  /v3/OS-FEDERATION/mappings/{mapping_id}
# HEAD  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:get_mapping": "role:reader and system_scope:all"

# DEPRECATED "identity:get_mapping":"rule:admin_required" has been
# deprecated since S in favor of "identity:get_mapping":"role:reader
# and system_scope:all".
#
# As of the Stein release, the federated mapping API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the federated mapping API.
# List federated mappings.
# GET  /v3/OS-FEDERATION/mappings
# HEAD  /v3/OS-FEDERATION/mappings
# Intended scope(s): system
#"identity:list_mappings": "role:reader and system_scope:all"

# DEPRECATED "identity:get_mapping":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_mappings":"role:reader
# and system_scope:all".
#
# As of the Stein release, the federated mapping API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the federated mapping API.
"identity:get_mapping": "rule:identity:list_mappings"
# Delete a federated mapping.
# DELETE  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:delete_mapping": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_mapping":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_mapping":"role:admin
# and system_scope:all".
#
# As of the Stein release, the federated mapping API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the federated mapping API.
# Update a federated mapping.
# PATCH  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system
#"identity:update_mapping": "role:admin and system_scope:all"

# DEPRECATED "identity:update_mapping":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_mapping":"role:admin
# and system_scope:all".
#
# As of the Stein release, the federated mapping API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the federated mapping API.
# Show policy details.
# GET  /v3/policy/{policy_id}
# Intended scope(s): system
#"identity:get_policy": "rule:admin_required"

# List policies.
# GET  /v3/policies
# Intended scope(s): system
#"identity:list_policies": "rule:admin_required"

# Create policy.
# POST  /v3/policies
# Intended scope(s): system
#"identity:create_policy": "rule:admin_required"

# Update policy.
# PATCH  /v3/policies/{policy_id}
# Intended scope(s): system
#"identity:update_policy": "rule:admin_required"

# Delete policy.
# DELETE  /v3/policies/{policy_id}
# Intended scope(s): system
#"identity:delete_policy": "rule:admin_required"

# Associate a policy to a specific endpoint.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:create_policy_association_for_endpoint": "rule:admin_required"

# Check policy association for endpoint.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:check_policy_association_for_endpoint": "rule:admin_required"

# Delete policy association for endpoint.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"

# Associate a policy to a specific service.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:create_policy_association_for_service": "rule:admin_required"

# Check policy association for service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:check_policy_association_for_service": "rule:admin_required"

# Delete policy association for service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_service": "rule:admin_required"

# Associate a policy to a specific region and service combination.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"

# Check policy association for region and service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:check_policy_association_for_region_and_service": "rule:admin_required"

# Delete policy association for region and service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"

# Get policy for endpoint.
# GET  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# HEAD  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# Intended scope(s): system
#"identity:get_policy_for_endpoint": "rule:admin_required"

# List endpoints for policy.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
# Intended scope(s): system
#"identity:list_endpoints_for_policy": "rule:admin_required"

# Show project details.
# GET  /v3/projects/{project_id}
# Intended scope(s): system, domain, project
#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"

# DEPRECATED "identity:get_project":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since S in
# favor of "identity:get_project":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
#
# As of the Stein release, the project API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List projects.
# GET  /v3/projects
# Intended scope(s): system, domain
#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED "identity:list_projects":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_projects":"(role:reader and system_scope:all) or
# (role:reader and domain_id:%(target.domain_id)s)".
#
# As of the Stein release, the project API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List projects for user.
# GET  /v3/users/{user_id}/projects
# Intended scope(s): system, domain, project
#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"

# DEPRECATED "identity:list_user_projects":"rule:admin_or_owner" has
# been deprecated since S in favor of
# "identity:list_user_projects":"(role:reader and system_scope:all) or
# (role:reader and domain_id:%(target.user.domain_id)s) or
# user_id:%(target.user.id)s".
#
# As of the Stein release, the project API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Create project.
# POST  /v3/projects
# Intended scope(s): system, domain
#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"

# DEPRECATED "identity:create_project":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_project":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s)".
#
# As of the Stein release, the project API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Update project.
# PATCH  /v3/projects/{project_id}
# Intended scope(s): system, domain
#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"

# DEPRECATED "identity:update_project":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_project":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s)".
#
# As of the Stein release, the project API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Delete project.
# DELETE  /v3/projects/{project_id}
# Intended scope(s): system, domain
#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"

# DEPRECATED "identity:delete_project":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_project":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s)".
#
# As of the Stein release, the project API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List tags for a project.
# GET  /v3/projects/{project_id}/tags
# HEAD  /v3/projects/{project_id}/tags
#"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s"

# Check if project contains a tag.
# GET  /v3/projects/{project_id}/tags/{value}
# HEAD  /v3/projects/{project_id}/tags/{value}
#"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s"

# Replace all tags on a project with the new set of tags.
# PUT  /v3/projects/{project_id}/tags
# Intended scope(s): system
#"identity:update_project_tags": "rule:admin_required"

# Add a single tag to a project.
# PUT  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system
#"identity:create_project_tag": "rule:admin_required"

# Remove all tags from a project.
# DELETE  /v3/projects/{project_id}/tags
# Intended scope(s): system
#"identity:delete_project_tags": "rule:admin_required"

# Delete a specified tag from project.
# DELETE  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system
#"identity:delete_project_tag": "rule:admin_required"

# List projects allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
# Intended scope(s): system
#"identity:list_projects_for_endpoint": "rule:admin_required"

# Allow project to access an endpoint.
# PUT  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:add_endpoint_to_project": "rule:admin_required"

# Check if a project is allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# HEAD  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:check_endpoint_in_project": "rule:admin_required"

# List the endpoints a project is allowed to access.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints
# Intended scope(s): system
#"identity:list_endpoints_for_project": "rule:admin_required"

# Remove access to an endpoint from a project that has previously been
# given explicit access.
# DELETE  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system
#"identity:remove_endpoint_from_project": "rule:admin_required"

# Create federated protocol.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:create_protocol": "role:admin and system_scope:all"

# DEPRECATED "identity:create_protocol":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_protocol":"role:admin and system_scope:all".
#
# As of the Stein release, the federated protocol API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the protocol API.
# Update federated protocol.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:update_protocol": "role:admin and system_scope:all"

# DEPRECATED "identity:update_protocol":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_protocol":"role:admin and system_scope:all".
#
# As of the Stein release, the federated protocol API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the protocol API.
# Get federated protocol.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:get_protocol": "role:reader and system_scope:all"

# DEPRECATED "identity:get_protocol":"rule:admin_required" has been
# deprecated since S in favor of "identity:get_protocol":"role:reader
# and system_scope:all".
#
# As of the Stein release, the federated protocol API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the protocol API.
# List federated protocols.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
# Intended scope(s): system
#"identity:list_protocols": "role:reader and system_scope:all"

# DEPRECATED "identity:list_protocols":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_protocols":"role:reader and system_scope:all".
#
# As of the Stein release, the federated protocol API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the protocol API.
# Delete federated protocol.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system
#"identity:delete_protocol": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_protocol":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_protocol":"role:admin and system_scope:all".
#
# As of the Stein release, the federated protocol API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the protocol API.
# Show region details.
# GET  /v3/regions/{region_id}
# HEAD  /v3/regions/{region_id}
# Intended scope(s): system, domain, project
#"identity:get_region": ""

# List regions.
# GET  /v3/regions
# HEAD  /v3/regions
# Intended scope(s): system, domain, project
#"identity:list_regions": ""

# Create region.
# POST  /v3/regions
# PUT  /v3/regions/{region_id}
# Intended scope(s): system
#"identity:create_region": "role:admin and system_scope:all"

# DEPRECATED "identity:create_region":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_region":"role:admin
# and system_scope:all". As of the Stein release, the region API now
# understands default roles and system-scoped tokens, making the API
# more granular without compromising security. The new policies for
# this API account for these changes automatically. Be sure to take
# these new defaults into consideration if you are relying on
# overrides in your deployment for the region API.
# Update region.
# PATCH  /v3/regions/{region_id}
# Intended scope(s): system
#"identity:update_region": "role:admin and system_scope:all"

# DEPRECATED "identity:update_region":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_region":"role:admin
# and system_scope:all". As of the Stein release, the region API now
# understands default roles and system-scoped tokens, making the API
# more granular without compromising security. The new policies for
# this API account for these changes automatically. Be sure to take
# these new defaults into consideration if you are relying on
# overrides in your deployment for the region API.
# Delete region.
# DELETE  /v3/regions/{region_id}
# Intended scope(s): system
#"identity:delete_region": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_region":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_region":"role:admin
# and system_scope:all". As of the Stein release, the region API now
# understands default roles and system-scoped tokens, making the API
# more granular without compromising security. The new policies for
# this API account for these changes automatically. Be sure to take
# these new defaults into consideration if you are relying on
# overrides in your deployment for the region API.
# Show registered limit details.
# GET  /v3/registered_limits/{registered_limit_id}
# HEAD  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system, domain, project
#"identity:get_registered_limit": ""

# List registered limits.
# GET  /v3/registered_limits
# HEAD  /v3/registered_limits
# Intended scope(s): system, domain, project
#"identity:list_registered_limits": ""

# Create registered limits.
# POST  /v3/registered_limits
# Intended scope(s): system
#"identity:create_registered_limits": "role:admin and system_scope:all"

# Update registered limit.
# PATCH  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system
#"identity:update_registered_limit": "role:admin and system_scope:all"

# Delete registered limit.
# DELETE  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system
#"identity:delete_registered_limit": "role:admin and system_scope:all"

# List revocation events.
# GET  /v3/OS-REVOKE/events
# Intended scope(s): system
#"identity:list_revoke_events": "rule:service_or_admin"

# Show role details.
# GET  /v3/roles/{role_id}
# HEAD  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:get_role": "role:reader and system_scope:all"

# DEPRECATED "identity:get_role":"rule:admin_required" has been
# deprecated since S in favor of "identity:get_role":"role:reader and
# system_scope:all".
#
# As of the Stein release, the role API now understands default roles
# and system-scoped tokens, making the API more granular by default
# without compromising security. The new policy defaults account for
# these changes automatically. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the role API.
# List roles.
# GET  /v3/roles
# HEAD  /v3/roles
# Intended scope(s): system
#"identity:list_roles": "role:reader and system_scope:all"

# DEPRECATED "identity:list_roles":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_roles":"role:reader
# and system_scope:all".
#
# As of the Stein release, the role API now understands default roles
# and system-scoped tokens, making the API more granular by default
# without compromising security. The new policy defaults account for
# these changes automatically. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the role API.
# Create role.
# POST  /v3/roles
# Intended scope(s): system
#"identity:create_role": "role:admin and system_scope:all"

# DEPRECATED "identity:create_role":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_role":"role:admin
# and system_scope:all".
#
# As of the Stein release, the role API now understands default roles
# and system-scoped tokens, making the API more granular by default
# without compromising security. The new policy defaults account for
# these changes automatically. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the role API.
# Update role.
# PATCH  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:update_role": "role:admin and system_scope:all"

# DEPRECATED "identity:update_role":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_role":"role:admin
# and system_scope:all".
#
# As of the Stein release, the role API now understands default roles
# and system-scoped tokens, making the API more granular by default
# without compromising security. The new policy defaults account for
# these changes automatically. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the role API.
# Delete role.
# DELETE  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:delete_role": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_role":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_role":"role:admin
# and system_scope:all".
#
# As of the Stein release, the role API now understands default roles
# and system-scoped tokens, making the API more granular by default
# without compromising security. The new policy defaults account for
# these changes automatically. Be sure to take these new defaults into
# consideration if you are relying on overrides in your deployment for
# the role API.
# Show domain role.
# GET  /v3/roles/{role_id}
# HEAD  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:get_domain_role": "rule:admin_required"

# List domain roles.
# GET  /v3/roles?domain_id={domain_id}
# HEAD  /v3/roles?domain_id={domain_id}
# Intended scope(s): system
#"identity:list_domain_roles": "rule:admin_required"

# Create domain role.
# POST  /v3/roles
# Intended scope(s): system
#"identity:create_domain_role": "rule:admin_required"

# Update domain role.
# PATCH  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:update_domain_role": "rule:admin_required"

# Delete domain role.
# DELETE  /v3/roles/{role_id}
# Intended scope(s): system
#"identity:delete_domain_role": "rule:admin_required"

# List role assignments.
# GET  /v3/role_assignments
# HEAD  /v3/role_assignments
# Intended scope(s): system, domain
#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED "identity:list_role_assignments":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:list_role_assignments":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.domain_id)s)".
#
# As of the Stein release, the role assignment API now understands how
# to handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List all role assignments for a given tree of hierarchical projects.
# GET  /v3/role_assignments?include_subtree
# HEAD  /v3/role_assignments?include_subtree
# Intended scope(s): project
#"identity:list_role_assignments_for_tree": "rule:admin_required"

# Show service details.
# GET  /v3/services/{service_id}
# Intended scope(s): system
#"identity:get_service": "role:reader and system_scope:all"

# DEPRECATED "identity:get_service":"rule:admin_required" has been
# deprecated since S in favor of "identity:get_service":"role:reader
# and system_scope:all".
#
# As of the Stein release, the service API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service API.
# List services.
# GET  /v3/services
# Intended scope(s): system
#"identity:list_services": "role:reader and system_scope:all"

# DEPRECATED "identity:list_services":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_services":"role:reader
# and system_scope:all".
#
# As of the Stein release, the service API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service API.
# Create service.
# POST  /v3/services
# Intended scope(s): system
#"identity:create_service": "role:admin and system_scope:all"

# DEPRECATED "identity:create_service":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_service":"role:admin
# and system_scope:all".
#
# As of the Stein release, the service API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service API.
# Update service.
# PATCH  /v3/services/{service_id}
# Intended scope(s): system
#"identity:update_service": "role:admin and system_scope:all"

# DEPRECATED "identity:update_service":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_service":"role:admin
# and system_scope:all".
#
# As of the Stein release, the service API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service API.
# Delete service.
# DELETE  /v3/services/{service_id}
# Intended scope(s): system
#"identity:delete_service": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_service":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_service":"role:admin
# and system_scope:all".
#
# As of the Stein release, the service API now understands default
# roles and system-scoped tokens, making the API more granular by
# default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service API.
# Create federated service provider.
# PUT  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:create_service_provider": "role:admin and system_scope:all"

# DEPRECATED "identity:create_service_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:create_service_provider":"role:admin and
# system_scope:all".
#
# As of the Stein release, the service provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service provider API.
# List federated service providers.
# GET  /v3/OS-FEDERATION/service_providers
# HEAD  /v3/OS-FEDERATION/service_providers
# Intended scope(s): system
#"identity:list_service_providers": "role:reader and system_scope:all"

# DEPRECATED "identity:list_service_providers":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:list_service_providers":"role:reader and
# system_scope:all".
#
# As of the Stein release, the service provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service provider API.
# Get federated service provider.
# GET  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# HEAD  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:get_service_provider": "role:reader and system_scope:all"

# DEPRECATED "identity:get_service_provider":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:get_service_provider":"role:reader and system_scope:all".
#
# As of the Stein release, the service provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service provider API.
# Update federated service provider.
# PATCH  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:update_service_provider": "role:admin and system_scope:all"

# DEPRECATED "identity:update_service_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:update_service_provider":"role:admin and
# system_scope:all".
#
# As of the Stein release, the service provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service provider API.
# Delete federated service provider.
# DELETE  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system
#"identity:delete_service_provider": "role:admin and system_scope:all"

# DEPRECATED "identity:delete_service_provider":"rule:admin_required"
# has been deprecated since S in favor of
# "identity:delete_service_provider":"role:admin and
# system_scope:all".
#
# As of the Stein release, the service provider API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the service provider API.
# List revoked PKI tokens.
# GET  /v3/auth/tokens/OS-PKI/revoked
# Intended scope(s): system, project
#"identity:revocation_list": "rule:service_or_admin"

# Check a token.
# HEAD  /v3/auth/tokens
#"identity:check_token": "rule:admin_or_token_subject"

# Validate a token.
# GET  /v3/auth/tokens
#"identity:validate_token": "rule:service_admin_or_token_subject"

# Revoke a token.
# DELETE  /v3/auth/tokens
#"identity:revoke_token": "rule:admin_or_token_subject"

# Create trust.
# POST  /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"

# List trusts.
# GET  /v3/OS-TRUST/trusts
# HEAD  /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:list_trusts": ""

# List roles delegated by a trust.
# GET  /v3/OS-TRUST/trusts/{trust_id}/roles
# HEAD  /v3/OS-TRUST/trusts/{trust_id}/roles
# Intended scope(s): project
#"identity:list_roles_for_trust": ""

# Check if trust delegates a particular role.
# GET  /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# HEAD  /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_role_for_trust": ""

# Revoke trust.
# DELETE  /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): project
#"identity:delete_trust": ""

# Get trust.
# GET  /v3/OS-TRUST/trusts/{trust_id}
# HEAD  /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): project
#"identity:get_trust": ""

# Show user details.
# GET  /v3/users/{user_id}
# HEAD  /v3/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"

# DEPRECATED "identity:get_user":"rule:admin_or_owner" has been
# deprecated since S in favor of "identity:get_user":"(role:reader and
# system_scope:all) or (role:reader and
# token.domain.id:%(target.user.domain_id)s) or
# user_id:%(target.user.id)s".
#
# As of the Stein release, the user API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List users.
# GET  /v3/users
# HEAD  /v3/users
# Intended scope(s): system, domain
#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED "identity:list_users":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_users":"(role:reader
# and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
#
# As of the Stein release, the user API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# List all projects a user has access to via role assignments.
# GET   /v3/auth/projects
#"identity:list_projects_for_user": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
#"identity:list_domains_for_user": ""

# Create a user.
# POST  /v3/users
# Intended scope(s): system, domain
#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"

# DEPRECATED "identity:create_user":"rule:admin_required" has been
# deprecated since S in favor of "identity:create_user":"(role:admin
# and system_scope:all) or (role:admin and
# token.domain.id:%(target.user.domain_id)s)".
#
# As of the Stein release, the user API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Update a user, including administrative password resets.
# PATCH  /v3/users/{user_id}
# Intended scope(s): system, domain
#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"

# DEPRECATED "identity:update_user":"rule:admin_required" has been
# deprecated since S in favor of "identity:update_user":"(role:admin
# and system_scope:all) or (role:admin and
# token.domain.id:%(target.user.domain_id)s)".
#
# As of the Stein release, the user API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
# Delete a user.
# DELETE  /v3/users/{user_id}
# Intended scope(s): system, domain
#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"

# DEPRECATED "identity:delete_user":"rule:admin_required" has been
# deprecated since S in favor of "identity:delete_user":"(role:admin
# and system_scope:all) or (role:admin and
# token.domain.id:%(target.user.domain_id)s)".
#
# As of the Stein release, the user API understands how to handle
# system-scoped tokens in addition to project and domain tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically.
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.