Querying Permission Assignment Records¶
Function¶
This API is used to query permission assignment records of a specified account.
URI¶
GET /v3.0/OS-PERMISSION/role-assignments
Request Parameters¶
Parameter | Mandatory | Type | Description |
---|---|---|---|
X-Auth-Token | Yes | String |
Parameter | Mandatory | Type | Description |
---|---|---|---|
domain_id | Yes | String | Account ID. For details about how to obtain the account ID, see Obtaining User, Account, User Group, Project, and Agency Information. |
role_id | No | String | Policy ID. |
subject | No | String | Principal. The value can be user, group, or agency. This parameter is exclusive with subject.user_id, subject.group_id, and subject.agency_id. |
subject.user_id | No | String | ID of the IAM user. For details about how to obtain the ID, see Obtaining User, Account, User Group, Project, and Agency Information. |
subject.group_id | No | String | ID of the user group. For details about how to obtain the ID, see Obtaining User, Account, User Group, Project, and Agency Information. |
subject.agency_id | No | String | Agency ID. For details about how to obtain the agency ID, see Obtaining User, Account, User Group, Project, and Agency Information. |
scope | No | String | Authorization scope. The value can be project, domain, or enterprise_project. This parameter is mutually exclusive with scope.project_id, scope.domain_id, and scope.enterprise_projects_id. Note
|
scope.project_id | No | String | Project ID. For details about how to obtain the project ID, see Obtaining User, Account, User Group, Project, and Agency Information. |
scope.domain_id | No | String | Account ID. For details about how to obtain the account ID, see Obtaining User, Account, User Group, Project, and Agency Information. |
scope.enterprise_projects_id | No | String | ID of an authorized enterprise project. |
is_inherited | No | Boolean | Whether to include all project-based authorization records. The default value is false. This parameter is valid only when scope is set to domain or scope.domain_id is specified. true: Query all project-based authorization records. false: Query global service authorization records. |
include_group | No | Boolean | Whether to include user group-based authorization records. The default value is true. This parameter is valid only when subject is set to user or subject.user_id is specified. true: Query authorization records of IAM users and user groups which the IAM users belong to. false: Only query authorization records of IAM users. |
page | No | String | Page number for pagination query. The minimum value is 1. This parameter must be used together with per_page. |
per_page | No | String | Number of data records to be displayed on each page during pagination query. The value ranges from 1 to 50. This parameter must be specified together with page. |
Response Parameters¶
Parameter | Type | Description |
---|---|---|
total_num | Long | Total number of returned authorization records. |
Array of RoleAssignmentBody objects | Authorization information. |
Parameter | Type | Description |
---|---|---|
user | RoleUserAssignmentId object | Authorized user. |
role | RoleAssignmentId object | Authorization policy. |
group | RoleGroupAssignmentId object | Authorized user group. |
agency | RoleAgencyAssignmentId object | Authorization agency. |
scope | RoleAssignmentScope object | Authorization scope. |
is_inherited | Boolean | Whether the authorization is based on all projects. |
Parameter | Type | Description |
---|---|---|
id | String | IAM user ID. |
Parameter | Type | Description |
---|---|---|
id | String | Permission ID. |
Parameter | Type | Description |
---|---|---|
id | String | User group ID. |
Parameter | Type | Description |
---|---|---|
id | String | Agency ID. |
Parameter | Type | Description |
---|---|---|
project | RoleProjectAssignmentId object | IAM project-based authorization. |
domain | RoleDomainAssignmentId object | Authorization based on global services or all projects. |
enterprise_project | RoleEnterpriseProjectAssignmentId object | Enterprise project-based authorization. |
Parameter | Type | Description |
---|---|---|
id | String | IAM project ID. |
Parameter | Type | Description |
---|---|---|
id | String | Global service ID. |
Parameter | Type | Description |
---|---|---|
id | String | Enterprise project ID. |
Example Request¶
GET https://sample.domain.com/v3.0/OS-PERMISSION/role-assignments?{domain_id}
Example Response¶
Status code: 200
The request is successful.
{
"role_assignments":{
"group":{
"id":"07609e7eb200250a3f7dc003cb7a4e2d"
},
"is_inherited":true,
"role":{
"id":"11e5c42d20cc349a2b9e2f8afd253f50c"
},
"scope":{
"domain":{
"id":"d78cbac186b744899480f25bd022f468"
}
}
},
"total_num":1
}
Status Code¶
Status Code | Description |
---|---|
200 | The request is successful. |
400 | Invalid parameters. |
401 | Authentication failed. |
403 | Access denied. |
Error Codes¶
For details, see Error Codes.