Wei, Hongmin bdc1f338a2 IAM API 0816 Version

Reviewed-by: Gladkov, Maksim <mgladkov@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: Wei, Hongmin <weihongmin1@huawei.com>
Co-committed-by: Wei, Hongmin <weihongmin1@huawei.com>

2024-10-17 13:19:12 +00:00

42 KiB

Raw Blame History

Querying Permission Assignment Records

Function

This API is used to query permission assignment records of a specified account.

URI

GET /v3.0/OS-PERMISSION/role-assignments

Request Parameters

**Table 1** Parameters in the request header
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	See Permissions Management.

**Table 2** Request parameters
Parameter	Mandatory	Type	Description
domain_id	Yes	String	Account ID. For details about how to obtain the account ID, see Obtaining User, Account, User Group, Project, and Agency Information.
role_id	No	String	Policy ID.
subject	No	String	Principal. The value can be user, group, or agency. This parameter is exclusive with subject.user_id, subject.group_id, and subject.agency_id.
subject.user_id	No	String	ID of the IAM user. For details about how to obtain the ID, see Obtaining User, Account, User Group, Project, and Agency Information.
subject.group_id	No	String	ID of the user group. For details about how to obtain the ID, see Obtaining User, Account, User Group, Project, and Agency Information.
subject.agency_id	No	String	Agency ID. For details about how to obtain the agency ID, see Obtaining User, Account, User Group, Project, and Agency Information.
scope	No	String	Authorization scope. The value can be project, domain, or enterprise_project. This parameter is mutually exclusive with scope.project_id, scope.domain_id, and scope.enterprise_projects_id. NOTE: To view global service authorization records, set this parameter to domain or specify scope.domain_id. To view resource-based authorization records, set this parameter to domain and is_inherited to true. To view project-based authorization records, set this parameter to project or specify scope.project_id. To view enterprise project-based authorization records, set this parameter to enterprise_project or specify scope.enterprise_project_id.
scope.project_id	No	String	Project ID. For details about how to obtain the project ID, see Obtaining User, Account, User Group, Project, and Agency Information.
scope.domain_id	No	String	Account ID. For details about how to obtain the account ID, see Obtaining User, Account, User Group, Project, and Agency Information.
scope.enterprise_projects_id	No	String	ID of an authorized enterprise project.
is_inherited	No	Boolean	Whether to include all project-based authorization records. The default value is false. This parameter is valid only when scope is set to domain or scope.domain_id is specified. true: Query all project-based authorization records. false: Query global service authorization records.
include_group	No	Boolean	Whether to include user group-based authorization records. The default value is true. This parameter is valid only when subject is set to user or subject.user_id is specified. true: Query authorization records of IAM users and user groups which the IAM users belong to. false: Only query authorization records of IAM users.
page	No	String	Page number for pagination query. The minimum value is 1. This parameter must be used together with per_page.
per_page	No	String	Number of data records to be displayed on each page during pagination query. The value ranges from 1 to 50. This parameter must be specified together with page.

Response Parameters

**Table 3** Parameters in the response body
Parameter	Type	Description
total_num	Long	Total number of returned authorization records.
role_assignments	Array of RoleAssignmentBody objects	Authorization information.

**Table 4** role_assignments
Parameter	Type	Description
user	RoleUserAssignmentId object	Authorized user.
role	RoleAssignmentId object	Authorization policy.
group	RoleGroupAssignmentId object	Authorized user group.
agency	RoleAgencyAssignmentId object	Authorization agency.
scope	RoleAssignmentScope object	Authorization scope.
is_inherited	Boolean	Whether the authorization is based on all projects.

**Table 5** role_assignments.user
Parameter	Type	Description
id	String	IAM user ID.

**Table 6** role_assignments.role
Parameter	Type	Description
id	String	Permission ID.

**Table 7** role_assignments.group
Parameter	Type	Description
id	String	User group ID.

**Table 8** role_assignments.agency
Parameter	Type	Description
id	String	Agency ID.

**Table 9** role_assignments.scope
Parameter	Type	Description
project	RoleProjectAssignmentId object	IAM project-based authorization.
domain	RoleDomainAssignmentId object	Authorization based on global services or all projects.
enterprise_project	RoleEnterpriseProjectAssignmentId object	Enterprise project-based authorization.

**Table 10** role_assignments.scope.project
Parameter	Type	Description
id	String	IAM project ID.

**Table 11** role_assignments.scope.domain
Parameter	Type	Description
id	String	Global service ID.

**Table 12** role_assignments.scope.enterprise_project
Parameter	Type	Description
id	String	Enterprise project ID.

Example Request

GET https://sample.domain.com/v3.0/OS-PERMISSION/role-assignments?{domain_id}

Example Response

Status code: 200

The request is successful.

{
    "role_assignments":{
        "group":{
            "id":"07609e7eb200250a3f7dc003cb7a4e2d"
        },
        "is_inherited":true,
        "role":{
            "id":"11e5c42d20cc349a2b9e2f8afd253f50c"
        },
        "scope":{
            "domain":{
                "id":"d78cbac186b744899480f25bd022f468"
            }
        }
    },
    "total_num":1
}

Status Code

Status Code	Description
200	The request is successful.
400	Invalid parameters.
401	Authentication failed.
403	Access denied.

Error Codes

For details, see Error Codes.

Parent topic: Permission Management

42 KiB Raw Blame History