Action List

Token Management

Permission

API

Action

Obtaining an Agency Token

POST /v3/auth/tokens

iam:tokens:assume

Access Key Management

Permission

API

Action

Listing Permanent Access Keys

GET /v3.0/OS-CREDENTIAL/credentials

iam:credentials:listCredentials

Querying a Permanent Access Key

GET /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:getCredential

Creating a Permanent Access Key

POST /v3.0/OS-CREDENTIAL/credentials

iam:credentials:createCredential

Modifying a Permanent Access Key

PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:updateCredential

Deleting a Permanent Access Key

DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:deleteCredential

Virtual MFA Device Management

Permission

API

Action

Unbinding a Virtual MFA Device

PUT /v3.0/OS-MFA/mfa-devices/unbind

iam:mfa:unbindMFADevice

Binding a Virtual MFA Device

PUT /v3.0/OS-MFA/mfa-devices/bind

iam:mfa:bindMFADevice

Creating a Virtual MFA Device

POST /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:createVirtualMFADevice

Deleting a Virtual MFA Device

DELETE /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:deleteVirtualMFADevice

Project Management

Permission

API

Action

Creating a Project

POST /v3/projects

iam:projects:createProject

Modifying Project Data

PATCH /v3/projects/{project_id}

iam:projects:updateProject

Changing Project Status

PUT /v3-ext/projects/{project_id}

iam:projects:updateProject

Querying the List of Projects Accessible to Users

GET /v3/users/{user_id}/projects

iam:projects:listProjectsForUser

Deleting a Project

DELETE /v3/projects/{project_id}

iam:projects:deleteProject

Querying the Quotas of a Project

GET /v3.0/OS-QUOTA/projects/{project_id}

iam:quotas:listQuotasForProject

Tenant Management

Permission

API

Action

Querying Tenant Quotas

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:listQuotas

User Management

Permission

API

Action

Listing Users

GET /v3/users

iam:users:listUsers

Querying User Details

GET /v3/users/{user_id}

iam:users:getUser

Querying User Details (Recommended)

GET /v3.0/OS-USER/users/{user_id}

iam:users:getUser

Querying the User Group to Which a User Belongs

GET /v3/users/{user_id}/groups

iam:groups:listGroupsForUser

Querying Users in a User Group

GET /v3/groups/{group_id}/users

iam:users:listUsersForGroup

Creating a User

POST /v3/users

iam:users:createUser

Changing the Password of a User

POST /v3/users/{user_id}/password

iam:users:updateUserPassword

Modifying User Information

PATCH /v3/users/{user_id}

iam:users:updateUser

Deleting a User

DELETE /v3/users/{user_id}

iam:users:deleteUser

Creating a User (Recommended)

POST /v3.0/OS-USER/users

iam:users:createUser

Resetting a User's Password

x

iam:users:resetUserPassword

Configuring Login Protection

x

iam:users:setUserLoginProtect

Listing Users Who Have Access to a Specified Project

x

iam:users:listUsersForProject

Deleting a User from a User Group

DELETE /v3/groups/{group_id}/users/{user_id}

iam:permissions:removeUserFromGroup

Querying MFA Device Information of Users

GET /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:listVirtualMFADevices

Querying the MFA Device Information of a User

GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device

iam:mfa:getVirtualMFADevice

Querying Login Protection Configurations of Users

GET /v3.0/OS-USER/login-protects

iam:users:listUserLoginProtects

Querying the Login Protection Configuration of a User

GET /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:getUserLoginProtect

User Group Management

Permission

API

Action

Querying Users in a User Group

GET /v3/groups/{group_id}/users

iam:users:listUsersForGroup

Listing User Groups

GET /v3/groups{?domain_id,name}

iam:groups:listGroups

Querying User Group Details

GET /v3/groups/{group_id}

iam:groups:getGroup

Creating a User Group

POST /v3/groups

iam:groups:createGroup

Adding a User to a User Group

PUT /v3/groups/{group_id}/users/{user_id}

iam:permissions:addUserToGroup

Updating User Group Information

PATCH /v3/groups/{group_id}

iam:groups:updateGroup

Deleting a User Group

DELETE /v3/groups/{group_id}

  • iam:groups:deleteGroup

  • iam:permissions:removeUserFromGroup

  • iam:permissions:revokeRoleFromGroup

  • iam:permissions:revokeRoleFromGroupOnProject

  • iam:permissions:revokeRoleFromGroupOnDomain

Checking Whether a User Belongs to a Specified User Group

HEAD /v3/groups/{group_id}/users/{user_id}

iam:permissions:checkUserInGroup

Permissions Management

Permission

API

Action

Querying a Role List

GET /v3/roles

iam:roles:listRoles

Querying Role Details

GET /v3/roles/{role_id}

iam:roles:getRole

Querying Permissions of a User Group Under a Domain

GET /v3/domains/{domain_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnDomain

Querying Permissions of a User Group Corresponding to a Project

GET /v3/projects/{project_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnProject

Granting Permissions to a User Group of a Domain

PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnDomain

Granting Permissions to a User Group Corresponding to a Project

PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnProject

Removing Permissions of a User Group Corresponding to a Project

DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnProject

Removing Permissions of a User Group of a Domain

DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnDomain

Querying Whether a User Group Under a Domain Has Specific Permissions

HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:checkRoleForGroupOnDomain

Querying Whether a User Group Corresponding to a Project Has Specific Permissions

HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:checkRoleForGroupOnProject

Granting Permissions to a User Group

PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroup

Querying the Permissions Granted to a User for a Specified Project

x

iam:permissions:listRolesForUserOnProject

Querying All Permissions of a User Group

x

iam:permissions:listRolesForGroup

Checking Whether a User Group Has Specified Permissions

iam:permissions:checkRoleForGroup

Removing Permissions of a User Group

iam:permissions:revokeRoleFromGroup

Querying a Resource Quota

GET /v3.0/OS-QUOTA/domains/{domain_id}?type={user, group, idp, agency, policy}

iam:quotas:listQuotas

Custom Policy Management

Permission

API

Action

Listing Custom Policies

GET /v3.0/OS-ROLE/roles

iam:roles:listRoles

Querying Custom Policy Details

GET /v3.0/OS-ROLE/roles/{role_id}

iam:roles:getRole

Creating a Custom Policy

POST /v3.0/OS-ROLE/roles

iam:roles:createRole

Modifying a Custom Policy

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:updateRole

Deleting a Custom Policy

DELETE /v3.0/OS-ROLE/roles/{role_id}

iam:roles:deleteRole

Agency Management

Permission

API

Action

Creating an Agency

POST /v3.0/OS-AGENCY/agencies

iam:agencies:createAgency

Listing Agencies

GET /v3.0/OS-AGENCY/agencies

iam:agencies:listAgencies

Querying Agency Details

GET /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:getAgency

Modifying an Agency

PUT /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:updateAgency

Deleting an Agency

DELETE /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:deleteAgency

Granting Permissions to an Agency for a Project

PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:grantRoleToAgencyOnProject

Checking Whether an Agency Has the Specified Permissions on a Project

HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:checkRoleForAgencyOnProject

Querying Permissions of an Agency for a Project

GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles

iam:permissions:listRolesForAgencyOnProject

Removing Permissions of an Agency on a Project

DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:revokeRoleFromAgencyOnProject

Granting Permissions to an Agency on a Domain

PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:grantRoleToAgencyOnDomain

Checking Whether an Agency Has the Specified Permissions on a Domain

HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:checkRoleForAgencyOnDomain

Querying the List of Permissions of an Agency on a Domain

GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles

iam:permissions:listRolesForAgencyOnDomain

Removing Permissions of an Agency on a Domain

DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:revokeRoleFromAgencyOnDomain

Security Settings

Permission

API

Action

Querying the Operation Protection Policy

GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securitypolicies:getProtectPolicy

Querying the Password Policy

GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securitypolicies:getPasswordPolicy

Querying the Login Authentication Policy

GET v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securitypolicies:getLoginPolicy

Federated Identity Authentication Management

Permission

API

Action

Querying the Identity Provider List

GET /v3/OS-FEDERATION/identity_providers

iam:identityProviders:listIdentityProviders

Querying an Identity Provider

GET /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:getIdentityProvider

Creating an Identity Provider

PUT /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:createIdentityProvider

Updating an Identity Provider

PATCH /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:updateIdentityProvider

Deleting an Identity Provider

DELETE /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:deleteIdentityProvider

Creating an OpenID Connect Identity Provider

POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:createOpenIDConnectConfig

Modifying an OpenID Connect Identity Provider

PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:updateOpenIDConnectConfig

Querying an OpenID Connect Identity Provider

GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:getOpenIDConnectConfig

Querying the Mapping List

GET /v3/OS-FEDERATION/mappings

iam:identityProviders:listMappings

Querying Mapping Details

GET /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:getMapping

Creating a Mapping

PUT /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:createMapping

Updating a Mapping

PATCH /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:updateMapping

Deleting a Mapping

DELETE /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:deleteMapping

Querying the Protocol List

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

iam:identityProviders:listProtocols

Querying a Protocol

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:getProtocol

Registering a Protocol

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:createProtocol

Updating a Protocol

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:updateProtocol

Deleting a Protocol

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:deleteProtocol

Querying a Metadata File

GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:getIDPMetadata

Importing a Metadata File

POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:createIDPMetadata