Querying All Permissions of a User Group

Function

This API is provided for the administrator to query all permissions that have been assigned to a user group.

URI

GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

Table 1 URI parameters

Parameter

Mandatory

Type

Description

domain_id

Yes

String

Domain ID. For details about how to obtain the ID, see Obtaining User, Account, User Group, Project, and Agency Information.

group_id

Yes

String

User group ID. For details about how to obtain a user group ID, see Obtaining User, Account, User Group, Project, and Agency Information.

Request Parameters

Table 2 Parameters in the request header

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Token with Security Administrator permissions.

Response Parameters

Status code: 200

Table 3 Parameters in the response body

Parameter

Type

Description

links

object

Resource link information.

roles

Array of objects

Permission information.

total_number

Integer

Total number of custom policies. This parameter is returned only when domain_id is specified in the request.
Table 4 RoleResult

Parameter

Type

Description

domain_id

String

ID of the domain to which the permission belongs.

flag

String

If this parameter is set to fine_grained, the permission is a system-defined policy.

description_cn

String

Description of the permission in Chinese.

catalog

String

Service catalog of the permission.

name

String

Permission name. This parameter is carried in the token of a user, allowing the system to determine whether the user has permissions to access a specific cloud service.

description

String

Description of the permission.

links

object

Permission resource link.

id

String

Permission ID.

display_name

String

Display name of the permission.

type

String

Display mode of the permission.

NOTE:
  • AX: Account level.
  • XA: Project level.
  • AA: Both the account level and project level.
  • XX: Neither the account level nor project level.
  • The display mode of a custom policy can only be AX or XA. A custom policy must be displayed at either of the two levels.

policy

object

Content of the permission.

updated_time

String

Time when the permission was last updated.

created_time

String

Time when the permission was created.
Table 5 Links

Parameter

Type

Description

self

String

Resource link.

previous

String

Previous resource link.

next

String

Next resource link.
Table 6 RolePolicy

Parameter

Type

Description

Depends

Array of objects

Dependent permissions.

Statement

Array of objects

Statement of the permission.

Version

String

Policy version.

NOTE:
  • 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization.
  • 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.
Table 7 PolicyDepends

Parameter

Type

Description

catalog

String

Service catalog of the permission.

display_name

String

Display name of the permission.
Table 8 PolicyStatement

Parameter

Type

Description

Action

Array of strings

Specific operation permission on a resource. A maximum of 100 actions are allowed.

NOTE:
  • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
  • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
  • In the case of a custom policy for agencies, this parameter should be set to "Action": ["iam:agencies:assume"].

Effect

String

Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements.

Enumerated values:

  • Allow
  • Deny

Condition

Object

Conditions for the permission to take effect. A maximum of 10 conditions are allowed. For details about the condition parameters, see .

NOTE:

Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals).

 "Condition": {
              "StringEquals": {
                "obs:prefix": [
                  "public"
                ]
              }
            }

Resource

Array of strings

Cloud resource. The array can contain a maximum of 10 resource strings, and each string cannot exceed 128 characters.

NOTE:
  • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
  • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
  • In the case of a custom policy for agencies, the type of this parameter is Object, and the value should be set to "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}.

Example Request

GET https://sample.domain.com/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects

Example Response

Status code: 200

The request is successful.

{ 
  "roles" : [ { 
    "domain_id" : null, 
    "description_cn" : "Description of the permission in Chinese", 
    "catalog" : "VulnScan", 
    "name" : "wscn_adm", 
    "description" : "Vulnerability Scan Service administrator of tasks and reports.", 
    "links" : { 
      "next" : null, 
      "previous" : null, 
      "self" : "https://sample.domain.com/v3/roles/0af84c1502f447fa9c2fa18083fbb..." 
    }, 
    "id" : "0af84c1502f447fa9c2fa18083fbb...", 
    "display_name" : "VSS Administrator", 
    "type" : "XA", 
    "policy" : { 
      "Version" : "1.0", 
      "Statement" : [ { 
        "Action" : [ "WebScan:*:*" ], 
        "Effect" : "Allow" 
      } ], 
      "Depends" : [ { 
        "catalog" : "BASE", 
        "display_name" : "Server Administrator" 
      }, { 
        "catalog" : "BASE", 
        "display_name" : "Tenant Guest" 
      } ] 
    } 
  }, { 
    "domain_id" : null, 
    "flag" : "fine_grained", 
    "description_cn" : "Description of the permission in Chinese", 
    "catalog" : "CSE", 
    "name" : "system_all_34", 
    "description" : "All permissions of CSE service.", 
    "links" : { 
      "next" : null, 
      "previous" : null, 
      "self" : "https://sample.domain.com/v3/roles/0b5ea44ebdc64a24a9c372b2317f7..." 
    }, 
    "id" : "0b5ea44ebdc64a24a9c372b2317f7...", 
    "display_name" : "CSE Admin", 
    "type" : "XA", 
    "policy" : { 
      "Version" : "1.1", 
      "Statement" : [ { 
        "Action" : [ "cse:*:*", "ecs:*:*", "evs:*:*", "vpc:*:*" ], 
        "Effect" : "Allow" 
      } ] 
    } 
  } ], 
  "links" : { 
    "next" : null, 
    "previous" : null, 
    "self" : "https://sample.domain.com/v3/roles" 
  } 
}

Status Codes

Status Code

Description

200

The request is successful.

401

Authentication failed.

403

Access denied.

Error Codes

For details, see Error Codes.

Parent topic: Permission Management