policy.yaml

policy.yaml

Use the policy.yaml file to define additional access controls that apply to the Identity service:

"admin_required": "role:admin or is_admin:1"
"service_role": "role:service"
"service_or_admin": "rule:admin_required or rule:service_role"
"owner": "user_id:%(user_id)s"
"admin_or_owner": "rule:admin_required or rule:owner"
"token_subject": "user_id:%(target.token.user_id)s"
"admin_or_token_subject": "rule:admin_required or rule:token_subject"
"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s"
"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s"
"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s"
"identity:authorize_request_token": "rule:admin_required"
"identity:get_access_token": "rule:admin_required"
"identity:get_access_token_role": "rule:admin_required"
"identity:list_access_tokens": "rule:admin_required"
"identity:list_access_token_roles": "rule:admin_required"
"identity:delete_access_token": "rule:admin_required"
"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:get_application_credential":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:get_application_credential":"(role:reader and
# system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.

"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:list_application_credentials":"rule:admin_or_owner" has
# been deprecated since T in favor of
# "identity:list_application_credentials":"(role:reader and
# system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.

"identity:create_application_credential": "user_id:%(user_id)s"
"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:delete_application_credential":"rule:admin_or_owner" has
# been deprecated since T in favor of
# "identity:delete_application_credential":"(role:admin and
# system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.

"identity:get_auth_catalog": ""
"identity:get_auth_projects": ""
"identity:get_auth_domains": ""
"identity:get_auth_system": ""
"identity:get_consumer": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_consumer":"rule:admin_required" has been deprecated
# since T in favor of "identity:get_consumer":"role:reader and
# system_scope:all".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

"identity:list_consumers": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_consumers":"rule:admin_required" has been deprecated
# since T in favor of "identity:list_consumers":"role:reader and
# system_scope:all".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

"identity:create_consumer": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_consumer":"rule:admin_required" has been deprecated
# since T in favor of "identity:create_consumer":"role:admin and
# system_scope:all".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

"identity:update_consumer": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_consumer":"rule:admin_required" has been deprecated
# since T in favor of "identity:update_consumer":"role:admin and
# system_scope:all".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

"identity:delete_consumer": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_consumer":"rule:admin_required" has been deprecated
# since T in favor of "identity:delete_consumer":"role:admin and
# system_scope:all".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:get_credential":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_credential":"(role:reader and
# system_scope:all) or user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:list_credentials":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_credentials":"(role:reader and system_scope:all) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:create_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_credential":"(role:admin and system_scope:all) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:update_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_credential":"(role:admin and system_scope:all) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:delete_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_credential":"(role:admin and system_scope:all) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"
# DEPRECATED
# "identity:get_domain":"rule:admin_required or
# token.project.domain.id:%(target.domain.id)s" has been deprecated
# since S in favor of "identity:get_domain":"(role:reader and
# system_scope:all) or token.domain.id:%(target.domain.id)s or
# token.project.domain.id:%(target.domain.id)s".
# The domain API is now aware of system scope and default roles.

"identity:list_domains": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_domains":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_domains":"role:reader and
# system_scope:all".
# The domain API is now aware of system scope and default roles.

"identity:create_domain": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_domain":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_domain":"role:admin and
# system_scope:all".
# The domain API is now aware of system scope and default roles.

"identity:update_domain": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_domain":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_domain":"role:admin and
# system_scope:all".
# The domain API is now aware of system scope and default roles.

"identity:delete_domain": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_domain":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_domain":"role:admin and
# system_scope:all".
# The domain API is now aware of system scope and default roles.

"identity:create_domain_config": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_domain_config":"role:admin and system_scope:all".
# The domain config API is now aware of system scope and default
# roles.

"identity:get_domain_config": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_domain_config":"role:reader and system_scope:all".
# The domain config API is now aware of system scope and default
# roles.

"identity:get_security_compliance_domain_config": ""
"identity:update_domain_config": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_domain_config":"role:admin and system_scope:all".
# The domain config API is now aware of system scope and default
# roles.

"identity:delete_domain_config": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_domain_config":"role:admin and system_scope:all".
# The domain config API is now aware of system scope and default
# roles.

"identity:get_domain_config_default": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_domain_config_default":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_domain_config_default":"role:reader and
# system_scope:all".
# The domain config API is now aware of system scope and default
# roles.

"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:ec2_get_credential":"rule:admin_required or (rule:owner
# and user_id:%(target.credential.user_id)s)" has been deprecated
# since T in favor of "identity:ec2_get_credential":"(role:reader and
# system_scope:all) or user_id:%(target.credential.user_id)s".
# The EC2 credential API is now aware of system scope and default
# roles.

"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:ec2_list_credentials":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:ec2_list_credentials":"(role:reader and system_scope:all)
# or rule:owner".
# The EC2 credential API is now aware of system scope and default
# roles.

"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner"
# DEPRECATED
# "identity:ec2_create_credential":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:ec2_create_credential":"(role:admin and system_scope:all)
# or rule:owner".
# The EC2 credential API is now aware of system scope and default
# roles.

"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
# DEPRECATED
# "identity:ec2_delete_credential":"rule:admin_required or (rule:owner
# and user_id:%(target.credential.user_id)s)" has been deprecated
# since T in favor of "identity:ec2_delete_credential":"(role:admin
# and system_scope:all) or user_id:%(target.credential.user_id)s".
# The EC2 credential API is now aware of system scope and default
# roles.

"identity:get_endpoint": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_endpoint":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_endpoint":"role:reader and
# system_scope:all".
# The endpoint API is now aware of system scope and default roles.

"identity:list_endpoints": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_endpoints":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_endpoints":"role:reader and
# system_scope:all".
# The endpoint API is now aware of system scope and default roles.

"identity:create_endpoint": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_endpoint":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_endpoint":"role:admin and
# system_scope:all".
# The endpoint API is now aware of system scope and default roles.

"identity:update_endpoint": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_endpoint":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_endpoint":"role:admin and
# system_scope:all".
# The endpoint API is now aware of system scope and default roles.

"identity:delete_endpoint": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_endpoint":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_endpoint":"role:admin and
# system_scope:all".
# The endpoint API is now aware of system scope and default roles.

"identity:create_endpoint_group": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_endpoint_group":"role:admin and system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:list_endpoint_groups": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_endpoint_groups":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_endpoint_groups":"role:reader and system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:get_endpoint_group": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_endpoint_group":"role:reader and system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:update_endpoint_group": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_endpoint_group":"role:admin and system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:delete_endpoint_group": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_endpoint_group":"role:admin and system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_projects_associated_with_endpoint_group":"rule:admin_
# required" has been deprecated since T in favor of
# "identity:list_projects_associated_with_endpoint_group":"role:reader
# and system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_endpoints_associated_with_endpoint_group":"rule:admin
# _required" has been deprecated since T in favor of "identity:list_en
# dpoints_associated_with_endpoint_group":"role:reader and
# system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:get_endpoint_group_in_project": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_endpoint_group_in_project":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:get_endpoint_group_in_project":"role:reader and
# system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_endpoint_groups_for_project":"rule:admin_required"
# has been deprecated since T in favor of
# "identity:list_endpoint_groups_for_project":"role:reader and
# system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:add_endpoint_group_to_project": "role:admin and system_scope:all"
# DEPRECATED
# "identity:add_endpoint_group_to_project":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:add_endpoint_group_to_project":"role:admin and
# system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all"
# DEPRECATED
# "identity:remove_endpoint_group_from_project":"rule:admin_required"
# has been deprecated since T in favor of
# "identity:remove_endpoint_group_from_project":"role:admin and
# system_scope:all".
# The endpoint groups API is now aware of system scope and default
# roles.

"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
# DEPRECATED
# "identity:check_grant":"rule:admin_required" has been deprecated
# since S in favor of "identity:check_grant":"(role:reader and
# system_scope:all) or ((role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# (domain_id:%(target.role.domain_id)s or
# None:%(target.role.domain_id)s)".
# The assignment API is now aware of system scope and default roles.

"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)"
# DEPRECATED
# "identity:list_grants":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_grants":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)".
# The assignment API is now aware of system scope and default roles.

"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
# DEPRECATED
# "identity:create_grant":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_grant":"(role:admin and
# system_scope:all) or ((role:admin and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# (domain_id:%(target.role.domain_id)s or
# None:%(target.role.domain_id)s)".
# The assignment API is now aware of system scope and default roles.

"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
# DEPRECATED
# "identity:revoke_grant":"rule:admin_required" has been deprecated
# since S in favor of "identity:revoke_grant":"(role:admin and
# system_scope:all) or ((role:admin and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# (domain_id:%(target.role.domain_id)s or
# None:%(target.role.domain_id)s)".
# The assignment API is now aware of system scope and default roles.

"identity:list_system_grants_for_user": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_system_grants_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_system_grants_for_user":"role:reader and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:check_system_grant_for_user": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_system_grant_for_user":"role:reader and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:create_system_grant_for_user": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_system_grant_for_user":"role:admin and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:revoke_system_grant_for_user": "role:admin and system_scope:all"
# DEPRECATED
# "identity:revoke_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:revoke_system_grant_for_user":"role:admin and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:list_system_grants_for_group": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_system_grants_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_system_grants_for_group":"role:reader and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:check_system_grant_for_group": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_system_grant_for_group":"role:reader and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:create_system_grant_for_group": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_system_grant_for_group":"role:admin and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:revoke_system_grant_for_group": "role:admin and system_scope:all"
# DEPRECATED
# "identity:revoke_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:revoke_system_grant_for_group":"role:admin and
# system_scope:all".
# The assignment API is now aware of system scope and default roles.

"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"
# DEPRECATED
# "identity:get_group":"rule:admin_required" has been deprecated since
# S in favor of "identity:get_group":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"
# DEPRECATED
# "identity:list_groups":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_groups":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"
# DEPRECATED
# "identity:list_groups_for_user":"rule:admin_or_owner" has been
# deprecated since S in favor of
# "identity:list_groups_for_user":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.user.domain_id)s) or
# user_id:%(user_id)s".
# The group API is now aware of system scope and default roles.

"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"
# DEPRECATED
# "identity:create_group":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_group":"(role:admin and
# system_scope:all) or (role:admin and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"
# DEPRECATED
# "identity:update_group":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_group":"(role:admin and
# system_scope:all) or (role:admin and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)"
# DEPRECATED
# "identity:delete_group":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_group":"(role:admin and
# system_scope:all) or (role:admin and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"
# DEPRECATED
# "identity:list_users_in_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_users_in_group":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
# DEPRECATED
# "identity:remove_user_from_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:remove_user_from_group":"(role:admin and system_scope:all)
# or (role:admin and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
# DEPRECATED
# "identity:check_user_in_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:check_user_in_group":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
# DEPRECATED
# "identity:add_user_to_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:add_user_to_group":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
# The group API is now aware of system scope and default roles.

"identity:create_identity_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_identity_provider":"role:admin and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.

"identity:list_identity_providers": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_identity_providers":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_identity_providers":"role:reader and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.

"identity:get_identity_provider": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:get_identity_provider":"role:reader and system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.

"identity:update_identity_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_identity_provider":"role:admin and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.

"identity:delete_identity_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_identity_provider":"role:admin and
# system_scope:all".
# The identity provider API is now aware of system scope and default
# roles.

"identity:get_implied_role": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_implied_role":"role:reader and system_scope:all".
# The implied role API is now aware of system scope and default roles.

"identity:list_implied_roles": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_implied_roles":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_implied_roles":"role:reader and system_scope:all".
# The implied role API is now aware of system scope and default roles.

"identity:create_implied_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_implied_role":"role:admin and system_scope:all".
# The implied role API is now aware of system scope and default roles.

"identity:delete_implied_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_implied_role":"role:admin and system_scope:all".
# The implied role API is now aware of system scope and default roles.

"identity:list_role_inference_rules": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_role_inference_rules":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_role_inference_rules":"role:reader and
# system_scope:all".
# The implied role API is now aware of system scope and default roles.

"identity:check_implied_role": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:check_implied_role":"role:reader and system_scope:all".
# The implied role API is now aware of system scope and default roles.

"identity:get_limit_model": ""
"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)"
"identity:list_limits": ""
"identity:create_limits": "role:admin and system_scope:all"
"identity:update_limit": "role:admin and system_scope:all"
"identity:delete_limit": "role:admin and system_scope:all"
"identity:create_mapping": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_mapping":"role:admin and
# system_scope:all".
# The federated mapping API is now aware of system scope and default
# roles.

"identity:get_mapping": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_mapping":"role:reader and
# system_scope:all".
# The federated mapping API is now aware of system scope and default
# roles.

"identity:list_mappings": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_mappings":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_mappings":"role:reader and
# system_scope:all".
# The federated mapping API is now aware of system scope and default
# roles.

"identity:delete_mapping": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_mapping":"role:admin and
# system_scope:all".
# The federated mapping API is now aware of system scope and default
# roles.

"identity:update_mapping": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_mapping":"role:admin and
# system_scope:all".
# The federated mapping API is now aware of system scope and default
# roles.

"identity:get_policy": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:get_policy":"role:reader and
# system_scope:all".
# The policy API is now aware of system scope and default roles.

"identity:list_policies": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_policies":"rule:admin_required" has been deprecated
# since T in favor of "identity:list_policies":"role:reader and
# system_scope:all".
# The policy API is now aware of system scope and default roles.

"identity:create_policy": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:create_policy":"role:admin and
# system_scope:all".
# The policy API is now aware of system scope and default roles.

"identity:update_policy": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:update_policy":"role:admin and
# system_scope:all".
# The policy API is now aware of system scope and default roles.

"identity:delete_policy": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:delete_policy":"role:admin and
# system_scope:all".
# The policy API is now aware of system scope and default roles.

"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_policy_association_for_endpoint":"rule:admin_requir
# ed" has been deprecated since T in favor of
# "identity:create_policy_association_for_endpoint":"role:admin and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_policy_association_for_endpoint":"rule:admin_require
# d" has been deprecated since T in favor of
# "identity:check_policy_association_for_endpoint":"role:reader and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_policy_association_for_endpoint":"rule:admin_requir
# ed" has been deprecated since T in favor of
# "identity:delete_policy_association_for_endpoint":"role:admin and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:create_policy_association_for_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_policy_association_for_service":"rule:admin_require
# d" has been deprecated since T in favor of
# "identity:create_policy_association_for_service":"role:admin and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:check_policy_association_for_service": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_policy_association_for_service":"rule:admin_required
# " has been deprecated since T in favor of
# "identity:check_policy_association_for_service":"role:reader and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:delete_policy_association_for_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_policy_association_for_service":"rule:admin_require
# d" has been deprecated since T in favor of
# "identity:delete_policy_association_for_service":"role:admin and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_policy_association_for_region_and_service":"rule:ad
# min_required" has been deprecated since T in favor of "identity:crea
# te_policy_association_for_region_and_service":"role:admin and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_policy_association_for_region_and_service":"rule:adm
# in_required" has been deprecated since T in favor of "identity:check
# _policy_association_for_region_and_service":"role:reader and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_policy_association_for_region_and_service":"rule:ad
# min_required" has been deprecated since T in favor of "identity:dele
# te_policy_association_for_region_and_service":"role:admin and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:get_policy_for_endpoint": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_policy_for_endpoint":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_policy_for_endpoint":"role:reader and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:list_endpoints_for_policy": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_endpoints_for_policy":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_endpoints_for_policy":"role:reader and
# system_scope:all".
# The policy association API is now aware of system scope and default
# roles.

"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
# DEPRECATED
# "identity:get_project":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since S in
# favor of "identity:get_project":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
# The project API is now aware of system scope and default roles.

"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
# DEPRECATED
# "identity:list_projects":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_projects":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
# The project API is now aware of system scope and default roles.

"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
# DEPRECATED
# "identity:list_user_projects":"rule:admin_or_owner" has been
# deprecated since S in favor of
# "identity:list_user_projects":"(role:reader and system_scope:all) or
# (role:reader and domain_id:%(target.user.domain_id)s) or
# user_id:%(target.user.id)s".
# The project API is now aware of system scope and default roles.

"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"
# DEPRECATED
# "identity:create_project":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_project":"(role:admin and
# system_scope:all) or (role:admin and
# domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"
# DEPRECATED
# "identity:update_project":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_project":"(role:admin and
# system_scope:all) or (role:admin and
# domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"
# DEPRECATED
# "identity:delete_project":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_project":"(role:admin and
# system_scope:all) or (role:admin and
# domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
# DEPRECATED
# "identity:list_project_tags":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since T in
# favor of "identity:list_project_tags":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
# The project API is now aware of system scope and default roles.

"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
# DEPRECATED
# "identity:get_project_tag":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since T in
# favor of "identity:get_project_tag":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
# The project API is now aware of system scope and default roles.

"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
# DEPRECATED
# "identity:update_project_tags":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_project_tags":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s) or
# (role:admin and project_id:%(target.project.id)s)".
# The project API is now aware of system scope and default roles.

"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
# DEPRECATED
# "identity:create_project_tag":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_project_tag":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s) or
# (role:admin and project_id:%(target.project.id)s)".
# The project API is now aware of system scope and default roles.

"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
# DEPRECATED
# "identity:delete_project_tags":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_project_tags":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s) or
# (role:admin and project_id:%(target.project.id)s)".
# The project API is now aware of system scope and default roles.

"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
# DEPRECATED
# "identity:delete_project_tag":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_project_tag":"(role:admin and system_scope:all) or
# (role:admin and domain_id:%(target.project.domain_id)s) or
# (role:admin and project_id:%(target.project.id)s)".
# The project API is now aware of system scope and default roles.

"identity:list_projects_for_endpoint": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_projects_for_endpoint":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_projects_for_endpoint":"role:reader and
# system_scope:all".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

"identity:add_endpoint_to_project": "role:admin and system_scope:all"
# DEPRECATED
# "identity:add_endpoint_to_project":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:add_endpoint_to_project":"role:admin and
# system_scope:all".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

"identity:check_endpoint_in_project": "role:reader and system_scope:all"
# DEPRECATED
# "identity:check_endpoint_in_project":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:check_endpoint_in_project":"role:reader and
# system_scope:all".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

"identity:list_endpoints_for_project": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_endpoints_for_project":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_endpoints_for_project":"role:reader and
# system_scope:all".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

"identity:remove_endpoint_from_project": "role:admin and system_scope:all"
# DEPRECATED
# "identity:remove_endpoint_from_project":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:remove_endpoint_from_project":"role:admin and
# system_scope:all".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

"identity:create_protocol": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_protocol":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_protocol":"role:admin and
# system_scope:all".
# The federated protocol API is now aware of system scope and default
# roles.

"identity:update_protocol": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_protocol":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_protocol":"role:admin and
# system_scope:all".
# The federated protocol API is now aware of system scope and default
# roles.

"identity:get_protocol": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_protocol":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_protocol":"role:reader and
# system_scope:all".
# The federated protocol API is now aware of system scope and default
# roles.

"identity:list_protocols": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_protocols":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_protocols":"role:reader and
# system_scope:all".
# The federated protocol API is now aware of system scope and default
# roles.

"identity:delete_protocol": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_protocol":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_protocol":"role:admin and
# system_scope:all".
# The federated protocol API is now aware of system scope and default
# roles.

"identity:get_region": ""
"identity:list_regions": ""
"identity:create_region": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_region":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_region":"role:admin and
# system_scope:all".
# The region API is now aware of system scope and default roles.

"identity:update_region": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_region":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_region":"role:admin and
# system_scope:all".
# The region API is now aware of system scope and default roles.

"identity:delete_region": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_region":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_region":"role:admin and
# system_scope:all".
# The region API is now aware of system scope and default roles.

"identity:get_registered_limit": ""
"identity:list_registered_limits": ""
"identity:create_registered_limits": "role:admin and system_scope:all"
"identity:update_registered_limit": "role:admin and system_scope:all"
"identity:delete_registered_limit": "role:admin and system_scope:all"
"identity:list_revoke_events": "rule:service_or_admin"
"identity:get_role": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_role":"rule:admin_required" has been deprecated since
# S in favor of "identity:get_role":"role:reader and
# system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:list_roles": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_roles":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_roles":"role:reader and
# system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:create_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_role":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_role":"role:admin and
# system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:update_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_role":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_role":"role:admin and
# system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:delete_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_role":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_role":"role:admin and
# system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:get_domain_role": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_domain_role":"rule:admin_required" has been deprecated
# since T in favor of "identity:get_domain_role":"role:reader and
# system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:list_domain_roles": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_domain_roles":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_domain_roles":"role:reader and system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:create_domain_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_domain_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_domain_role":"role:admin and system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:update_domain_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_domain_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_domain_role":"role:admin and system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:delete_domain_role": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_domain_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_domain_role":"role:admin and system_scope:all".
# The role API is now aware of system scope and default roles.

"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
# DEPRECATED
# "identity:list_role_assignments":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_role_assignments":"(role:reader and system_scope:all)
# or (role:reader and domain_id:%(target.domain_id)s)".
# The assignment API is now aware of system scope and default roles.

"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
# DEPRECATED
# "identity:list_role_assignments_for_tree":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:list_role_assignments_for_tree":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# project_id:%(target.project.id)s)".
# The assignment API is now aware of system scope and default roles.

"identity:get_service": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_service":"role:reader and
# system_scope:all".
# The service API is now aware of system scope and default roles.

"identity:list_services": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_services":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_services":"role:reader and
# system_scope:all".
# The service API is now aware of system scope and default roles.

"identity:create_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_service":"role:admin and
# system_scope:all".
# The service API is now aware of system scope and default roles.

"identity:update_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_service":"role:admin and
# system_scope:all".
# The service API is now aware of system scope and default roles.

"identity:delete_service": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_service":"role:admin and
# system_scope:all".
# The service API is now aware of system scope and default roles.

"identity:create_service_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:create_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_service_provider":"role:admin and
# system_scope:all".
# The service provider API is now aware of system scope and default
# roles.

"identity:list_service_providers": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_service_providers":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_service_providers":"role:reader and
# system_scope:all".
# The service provider API is now aware of system scope and default
# roles.

"identity:get_service_provider": "role:reader and system_scope:all"
# DEPRECATED
# "identity:get_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:get_service_provider":"role:reader and system_scope:all".
# The service provider API is now aware of system scope and default
# roles.

"identity:update_service_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:update_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_service_provider":"role:admin and
# system_scope:all".
# The service provider API is now aware of system scope and default
# roles.

"identity:delete_service_provider": "role:admin and system_scope:all"
# DEPRECATED
# "identity:delete_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_service_provider":"role:admin and
# system_scope:all".
# The service provider API is now aware of system scope and default
# roles.

# DEPRECATED
# "identity:revocation_list" has been deprecated since T.
# The identity:revocation_list policy isn't used to protect any APIs
# in keystone now that the revocation list API has been deprecated and
# only returns a 410 or 403 depending on how keystone is configured.
# This policy can be safely removed from policy files.
"identity:revocation_list": "rule:service_or_admin"
"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject"
# DEPRECATED
# "identity:check_token":"rule:admin_or_token_subject" has been
# deprecated since T in favor of "identity:check_token":"(role:reader
# and system_scope:all) or rule:token_subject".
# The token API is now aware of system scope and default roles.

"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject"
# DEPRECATED
# "identity:validate_token":"rule:service_admin_or_token_subject" has
# been deprecated since T in favor of
# "identity:validate_token":"(role:reader and system_scope:all) or
# rule:service_role or rule:token_subject".
# The token API is now aware of system scope and default roles.

"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject"
# DEPRECATED
# "identity:revoke_token":"rule:admin_or_token_subject" has been
# deprecated since T in favor of "identity:revoke_token":"(role:admin
# and system_scope:all) or rule:token_subject".
# The token API is now aware of system scope and default roles.

"identity:create_trust": "user_id:%(trust.trustor_user_id)s"
"identity:list_trusts": "role:reader and system_scope:all"
# DEPRECATED
# "identity:list_trusts":"rule:admin_required" has been deprecated
# since T in favor of "identity:list_trusts":"role:reader and
# system_scope:all".
# The trust API is now aware of system scope and default roles.

"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s"
"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s"
"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
# DEPRECATED
# "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user
# _id)s or user_id:%(target.trust.trustee_user_id)s" has been
# deprecated since T in favor of
# "identity:list_roles_for_trust":"role:reader and system_scope:all or
# user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s".
# The trust API is now aware of system scope and default roles.

"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
# DEPRECATED
# "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i
# d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated
# since T in favor of "identity:get_role_for_trust":"role:reader and
# system_scope:all or user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s".
# The trust API is now aware of system scope and default roles.

"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s"
# DEPRECATED
# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s"
# has been deprecated since T in favor of
# "identity:delete_trust":"role:admin and system_scope:all or
# user_id:%(target.trust.trustor_user_id)s".
# The trust API is now aware of system scope and default roles.

"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
# DEPRECATED
# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s" has been deprecated since
# T in favor of "identity:get_trust":"role:reader and system_scope:all
# or user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s".
# The trust API is now aware of system scope and default roles.

"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
# DEPRECATED
# "identity:get_user":"rule:admin_or_owner" has been deprecated since
# S in favor of "identity:get_user":"(role:reader and
# system_scope:all) or (role:reader and
# token.domain.id:%(target.user.domain_id)s) or
# user_id:%(target.user.id)s".
# The user API is now aware of system scope and default roles.

"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
# DEPRECATED
# "identity:list_users":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_users":"(role:reader and
# system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
# The user API is now aware of system scope and default roles.

"identity:list_projects_for_user": ""
"identity:list_domains_for_user": ""
"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"
# DEPRECATED
# "identity:create_user":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_user":"(role:admin and
# system_scope:all) or (role:admin and
# token.domain.id:%(target.user.domain_id)s)".
# The user API is now aware of system scope and default roles.

"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"
# DEPRECATED
# "identity:update_user":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_user":"(role:admin and
# system_scope:all) or (role:admin and
# token.domain.id:%(target.user.domain_id)s)".
# The user API is now aware of system scope and default roles.

"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)"
# DEPRECATED
# "identity:delete_user":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_user":"(role:admin and
# system_scope:all) or (role:admin and
# token.domain.id:%(target.user.domain_id)s)".
# The user API is now aware of system scope and default roles.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.