policy.yaml

Use the policy.yaml file to define additional access controls that apply to the Identity service:

#"admin_required": "role:admin or is_admin:1"

#"service_role": "role:service"

#"service_or_admin": "rule:admin_required or rule:service_role"

#"owner": "user_id:%(user_id)s"

#"admin_or_owner": "rule:admin_required or rule:owner"

#"token_subject": "user_id:%(target.token.user_id)s"

#"admin_or_token_subject": "rule:admin_required or rule:token_subject"

#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"

#"domain_managed_target_role": "'manager':%(target.role.name)s or 'member':%(target.role.name)s or 'reader':%(target.role.name)s"

# Show access rule details.
# GET  /v3/users/{user_id}/access_rules/{access_rule_id}
# HEAD  /v3/users/{user_id}/access_rules/{access_rule_id}
# Intended scope(s): system, project
#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s"

# List access rules for a user.
# GET  /v3/users/{user_id}/access_rules
# HEAD  /v3/users/{user_id}/access_rules
# Intended scope(s): system, project
#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s"

# Delete an access_rule.
# DELETE  /v3/users/{user_id}/access_rules/{access_rule_id}
# Intended scope(s): system, project
#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s"

# Authorize OAUTH1 request token.
# PUT  /v3/OS-OAUTH1/authorize/{request_token_id}
# Intended scope(s): project
#"identity:authorize_request_token": "rule:admin_required"

# Get OAUTH1 access token for user by access token ID.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:get_access_token": "rule:admin_required"

# Get role for user OAUTH1 access token.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
# Intended scope(s): project
#"identity:get_access_token_role": "rule:admin_required"

# List OAUTH1 access tokens for user.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens
# Intended scope(s): project
#"identity:list_access_tokens": "rule:admin_required"

# List OAUTH1 access token roles.
# GET  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
# Intended scope(s): project
#"identity:list_access_token_roles": "rule:admin_required"

# Delete OAUTH1 access token.
# DELETE  /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
# Intended scope(s): project
#"identity:delete_access_token": "rule:admin_required"

# Show application credential details.
# GET  /v3/users/{user_id}/application_credentials/{application_credential_id}
# HEAD  /v3/users/{user_id}/application_credentials/{application_credential_id}
# Intended scope(s): system, project
#"identity:get_application_credential": "(rule:admin_required) or (role:reader and system_scope:all) or rule:owner"

# DEPRECATED
# "identity:get_application_credential":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:get_application_credential":"(rule:admin_required) or
# (role:reader and system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.

# List application credentials for a user.
# GET  /v3/users/{user_id}/application_credentials
# HEAD  /v3/users/{user_id}/application_credentials
# Intended scope(s): system, project
#"identity:list_application_credentials": "(rule:admin_required) or (role:reader and system_scope:all) or rule:owner"

# DEPRECATED
# "identity:list_application_credentials":"rule:admin_or_owner" has
# been deprecated since T in favor of
# "identity:list_application_credentials":"(rule:admin_required) or
# (role:reader and system_scope:all) or rule:owner".
# The application credential API is now aware of system scope and
# default roles.

# Create an application credential.
# POST  /v3/users/{user_id}/application_credentials
# Intended scope(s): project
#"identity:create_application_credential": "user_id:%(user_id)s"

# Delete an application credential.
# DELETE  /v3/users/{user_id}/application_credentials/{application_credential_id}
# Intended scope(s): system, project
#"identity:delete_application_credential": "rule:admin_or_owner"

# DEPRECATED
# "identity:delete_application_credential":"rule:admin_or_owner" has
# been deprecated since T in favor of
# "identity:delete_application_credential":"rule:admin_or_owner".
# The application credential API is now aware of system scope and
# default roles.

# Get service catalog.
# GET  /v3/auth/catalog
# HEAD  /v3/auth/catalog
#"identity:get_auth_catalog": ""

# List all projects a user has access to via role assignments.
# GET  /v3/auth/projects
# HEAD  /v3/auth/projects
#"identity:get_auth_projects": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
# HEAD  /v3/auth/domains
#"identity:get_auth_domains": ""

# List systems a user has access to via role assignments.
# GET  /v3/auth/system
# HEAD  /v3/auth/system
#"identity:get_auth_system": ""

# Show OAUTH1 consumer details.
# GET  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system, project
#"identity:get_consumer": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_consumer":"rule:admin_required" has been deprecated
# since T in favor of "identity:get_consumer":"rule:admin_required or
# (role:reader and system_scope:all)".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

# List OAUTH1 consumers.
# GET  /v3/OS-OAUTH1/consumers
# Intended scope(s): system, project
#"identity:list_consumers": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_consumers":"rule:admin_required" has been deprecated
# since T in favor of "identity:list_consumers":"rule:admin_required
# or (role:reader and system_scope:all)".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

# Create OAUTH1 consumer.
# POST  /v3/OS-OAUTH1/consumers
# Intended scope(s): system, project
#"identity:create_consumer": "rule:admin_required"

# DEPRECATED
# "identity:create_consumer":"rule:admin_required" has been deprecated
# since T in favor of
# "identity:create_consumer":"rule:admin_required".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

# Update OAUTH1 consumer.
# PATCH  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system, project
#"identity:update_consumer": "rule:admin_required"

# DEPRECATED
# "identity:update_consumer":"rule:admin_required" has been deprecated
# since T in favor of
# "identity:update_consumer":"rule:admin_required".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

# Delete OAUTH1 consumer.
# DELETE  /v3/OS-OAUTH1/consumers/{consumer_id}
# Intended scope(s): system, project
#"identity:delete_consumer": "rule:admin_required"

# DEPRECATED
# "identity:delete_consumer":"rule:admin_required" has been deprecated
# since T in favor of
# "identity:delete_consumer":"rule:admin_required".
# The OAUTH1 consumer API is now aware of system scope and default
# roles.

# Show credentials details.
# GET  /v3/credentials/{credential_id}
# Intended scope(s): system, domain, project
#"identity:get_credential": "(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:get_credential":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_credential":"(rule:admin_required)
# or (role:reader and system_scope:all) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

# List credentials.
# GET  /v3/credentials
# Intended scope(s): system, domain, project
#"identity:list_credentials": "(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:list_credentials":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_credentials":"(rule:admin_required) or (role:reader
# and system_scope:all) or user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

# Create credential.
# POST  /v3/credentials
# Intended scope(s): system, domain, project
#"identity:create_credential": "(rule:admin_required) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:create_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_credential":"(rule:admin_required) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

# Update credential.
# PATCH  /v3/credentials/{credential_id}
# Intended scope(s): system, domain, project
#"identity:update_credential": "(rule:admin_required) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:update_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_credential":"(rule:admin_required) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

# Delete credential.
# DELETE  /v3/credentials/{credential_id}
# Intended scope(s): system, domain, project
#"identity:delete_credential": "(rule:admin_required) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:delete_credential":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_credential":"(rule:admin_required) or
# user_id:%(target.credential.user_id)s".
# The credential API is now aware of system scope and default roles.

# Show domain details.
# GET  /v3/domains/{domain_id}
# Intended scope(s): system, domain, project
#"identity:get_domain": "rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"

# DEPRECATED
# "identity:get_domain":"rule:admin_required or
# token.project.domain.id:%(target.domain.id)s" has been deprecated
# since S in favor of "identity:get_domain":"rule:admin_required or
# (role:reader and system_scope:all) or
# token.domain.id:%(target.domain.id)s or
# token.project.domain.id:%(target.domain.id)s".
# The domain API is now aware of system scope and default roles.

# List domains.
# GET  /v3/domains
# Intended scope(s): system, domain, project
#"identity:list_domains": "rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)"

# DEPRECATED
# "identity:list_domains":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_domains":"rule:admin_required or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.domain.id)s)".
# The domain API is now aware of system scope and default roles.

# Create domain.
# POST  /v3/domains
# Intended scope(s): system, project
#"identity:create_domain": "rule:admin_required"

# DEPRECATED
# "identity:create_domain":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_domain":"rule:admin_required".
# The domain API is now aware of system scope and default roles.

# Update domain.
# PATCH  /v3/domains/{domain_id}
# Intended scope(s): system, project
#"identity:update_domain": "rule:admin_required"

# DEPRECATED
# "identity:update_domain":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_domain":"rule:admin_required".
# The domain API is now aware of system scope and default roles.

# Delete domain.
# DELETE  /v3/domains/{domain_id}
# Intended scope(s): system, project
#"identity:delete_domain": "rule:admin_required"

# DEPRECATED
# "identity:delete_domain":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_domain":"rule:admin_required".
# The domain API is now aware of system scope and default roles.

# Create domain configuration.
# PUT  /v3/domains/{domain_id}/config
# Intended scope(s): system, project
#"identity:create_domain_config": "rule:admin_required"

# DEPRECATED
# "identity:create_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_domain_config":"rule:admin_required".
# The domain config API is now aware of system scope and default
# roles.

# Get the entire domain configuration for a domain, an option group
# within a domain, or a specific configuration option within a group
# for a domain.
# GET  /v3/domains/{domain_id}/config
# HEAD  /v3/domains/{domain_id}/config
# GET  /v3/domains/{domain_id}/config/{group}
# HEAD  /v3/domains/{domain_id}/config/{group}
# GET  /v3/domains/{domain_id}/config/{group}/{option}
# HEAD  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system, project
#"identity:get_domain_config": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_domain_config":"rule:admin_required or (role:reader
# and system_scope:all)".
# The domain config API is now aware of system scope and default
# roles.

# Get security compliance domain configuration for either a domain or
# a specific option in a domain.
# GET  /v3/domains/{domain_id}/config/security_compliance
# HEAD  /v3/domains/{domain_id}/config/security_compliance
# GET  /v3/domains/{domain_id}/config/security_compliance/{option}
# HEAD  /v3/domains/{domain_id}/config/security_compliance/{option}
# Intended scope(s): system, domain, project
#"identity:get_security_compliance_domain_config": ""

# Update domain configuration for either a domain, specific group or a
# specific option in a group.
# PATCH  /v3/domains/{domain_id}/config
# PATCH  /v3/domains/{domain_id}/config/{group}
# PATCH  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system, project
#"identity:update_domain_config": "rule:admin_required"

# DEPRECATED
# "identity:update_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_domain_config":"rule:admin_required".
# The domain config API is now aware of system scope and default
# roles.

# Delete domain configuration for either a domain, specific group or a
# specific option in a group.
# DELETE  /v3/domains/{domain_id}/config
# DELETE  /v3/domains/{domain_id}/config/{group}
# DELETE  /v3/domains/{domain_id}/config/{group}/{option}
# Intended scope(s): system, project
#"identity:delete_domain_config": "rule:admin_required"

# DEPRECATED
# "identity:delete_domain_config":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_domain_config":"rule:admin_required".
# The domain config API is now aware of system scope and default
# roles.

# Get domain configuration default for either a domain, specific group
# or a specific option in a group.
# GET  /v3/domains/config/default
# HEAD  /v3/domains/config/default
# GET  /v3/domains/config/{group}/default
# HEAD  /v3/domains/config/{group}/default
# GET  /v3/domains/config/{group}/{option}/default
# HEAD  /v3/domains/config/{group}/{option}/default
# Intended scope(s): system, project
#"identity:get_domain_config_default": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_domain_config_default":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_domain_config_default":"rule:admin_required or
# (role:reader and system_scope:all)".
# The domain config API is now aware of system scope and default
# roles.

# Show ec2 credential details.
# GET  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
# Intended scope(s): system, project
#"identity:ec2_get_credential": "(rule:admin_required) or (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:ec2_get_credential":"rule:admin_required or (rule:owner
# and user_id:%(target.credential.user_id)s)" has been deprecated
# since T in favor of
# "identity:ec2_get_credential":"(rule:admin_required) or (role:reader
# and system_scope:all) or user_id:%(target.credential.user_id)s".
# The EC2 credential API is now aware of system scope and default
# roles.

# List ec2 credentials.
# GET  /v3/users/{user_id}/credentials/OS-EC2
# Intended scope(s): system, project
#"identity:ec2_list_credentials": "(rule:admin_required) or (role:reader and system_scope:all) or rule:owner"

# DEPRECATED
# "identity:ec2_list_credentials":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:ec2_list_credentials":"(rule:admin_required) or
# (role:reader and system_scope:all) or rule:owner".
# The EC2 credential API is now aware of system scope and default
# roles.

# Create ec2 credential.
# POST  /v3/users/{user_id}/credentials/OS-EC2
# Intended scope(s): system, project
#"identity:ec2_create_credential": "rule:admin_or_owner"

# DEPRECATED
# "identity:ec2_create_credential":"rule:admin_or_owner" has been
# deprecated since T in favor of
# "identity:ec2_create_credential":"rule:admin_or_owner".
# The EC2 credential API is now aware of system scope and default
# roles.

# Delete ec2 credential.
# DELETE  /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
# Intended scope(s): system, project
#"identity:ec2_delete_credential": "(rule:admin_required) or user_id:%(target.credential.user_id)s"

# DEPRECATED
# "identity:ec2_delete_credential":"rule:admin_required or (rule:owner
# and user_id:%(target.credential.user_id)s)" has been deprecated
# since T in favor of
# "identity:ec2_delete_credential":"(rule:admin_required) or
# user_id:%(target.credential.user_id)s".
# The EC2 credential API is now aware of system scope and default
# roles.

# Show endpoint details.
# GET  /v3/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:get_endpoint": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_endpoint":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_endpoint":"rule:admin_required or
# (role:reader and system_scope:all)".
# The endpoint API is now aware of system scope and default roles.

# List endpoints.
# GET  /v3/endpoints
# Intended scope(s): system, project
#"identity:list_endpoints": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_endpoints":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_endpoints":"rule:admin_required
# or (role:reader and system_scope:all)".
# The endpoint API is now aware of system scope and default roles.

# Create endpoint.
# POST  /v3/endpoints
# Intended scope(s): system, project
#"identity:create_endpoint": "rule:admin_required"

# DEPRECATED
# "identity:create_endpoint":"rule:admin_required" has been deprecated
# since S in favor of
# "identity:create_endpoint":"rule:admin_required".
# The endpoint API is now aware of system scope and default roles.

# Update endpoint.
# PATCH  /v3/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:update_endpoint": "rule:admin_required"

# DEPRECATED
# "identity:update_endpoint":"rule:admin_required" has been deprecated
# since S in favor of
# "identity:update_endpoint":"rule:admin_required".
# The endpoint API is now aware of system scope and default roles.

# Delete endpoint.
# DELETE  /v3/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:delete_endpoint": "rule:admin_required"

# DEPRECATED
# "identity:delete_endpoint":"rule:admin_required" has been deprecated
# since S in favor of
# "identity:delete_endpoint":"rule:admin_required".
# The endpoint API is now aware of system scope and default roles.

# Create endpoint group.
# POST  /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system, project
#"identity:create_endpoint_group": "rule:admin_required"

# DEPRECATED
# "identity:create_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_endpoint_group":"rule:admin_required".
# The endpoint groups API is now aware of system scope and default
# roles.

# List endpoint groups.
# GET  /v3/OS-EP-FILTER/endpoint_groups
# Intended scope(s): system, project
#"identity:list_endpoint_groups": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_endpoint_groups":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_endpoint_groups":"rule:admin_required or (role:reader
# and system_scope:all)".
# The endpoint groups API is now aware of system scope and default
# roles.

# Get endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system, project
#"identity:get_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_endpoint_group":"rule:admin_required or (role:reader
# and system_scope:all)".
# The endpoint groups API is now aware of system scope and default
# roles.

# Update endpoint group.
# PATCH  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system, project
#"identity:update_endpoint_group": "rule:admin_required"

# DEPRECATED
# "identity:update_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_endpoint_group":"rule:admin_required".
# The endpoint groups API is now aware of system scope and default
# roles.

# Delete endpoint group.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# Intended scope(s): system, project
#"identity:delete_endpoint_group": "rule:admin_required"

# DEPRECATED
# "identity:delete_endpoint_group":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_endpoint_group":"rule:admin_required".
# The endpoint groups API is now aware of system scope and default
# roles.

# List all projects associated with a specific endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
# Intended scope(s): system, project
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_projects_associated_with_endpoint_group":"rule:admin_
# required" has been deprecated since T in favor of "identity:list_pro
# jects_associated_with_endpoint_group":"rule:admin_required or
# (role:reader and system_scope:all)".
# The endpoint groups API is now aware of system scope and default
# roles.

# List all endpoints associated with an endpoint group.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
# Intended scope(s): system, project
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_endpoints_associated_with_endpoint_group":"rule:admin
# _required" has been deprecated since T in favor of "identity:list_en
# dpoints_associated_with_endpoint_group":"rule:admin_required or
# (role:reader and system_scope:all)".
# The endpoint groups API is now aware of system scope and default
# roles.

# Check if an endpoint group is associated with a project.
# GET  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# HEAD  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system, project
#"identity:get_endpoint_group_in_project": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_endpoint_group_in_project":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:get_endpoint_group_in_project":"rule:admin_required or
# (role:reader and system_scope:all)".
# The endpoint groups API is now aware of system scope and default
# roles.

# List endpoint groups associated with a specific project.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
# Intended scope(s): system, project
#"identity:list_endpoint_groups_for_project": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_endpoint_groups_for_project":"rule:admin_required"
# has been deprecated since T in favor of
# "identity:list_endpoint_groups_for_project":"rule:admin_required or
# (role:reader and system_scope:all)".
# The endpoint groups API is now aware of system scope and default
# roles.

# Allow a project to access an endpoint group.
# PUT  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system, project
#"identity:add_endpoint_group_to_project": "rule:admin_required"

# DEPRECATED
# "identity:add_endpoint_group_to_project":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:add_endpoint_group_to_project":"rule:admin_required".
# The endpoint groups API is now aware of system scope and default
# roles.

# Remove endpoint group from project.
# DELETE  /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# Intended scope(s): system, project
#"identity:remove_endpoint_group_from_project": "rule:admin_required"

# DEPRECATED
# "identity:remove_endpoint_group_from_project":"rule:admin_required"
# has been deprecated since T in favor of
# "identity:remove_endpoint_group_from_project":"rule:admin_required".
# The endpoint groups API is now aware of system scope and default
# roles.

# Check a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# HEAD  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# GET  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# HEAD  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# GET  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# HEAD  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# GET  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# HEAD  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# GET  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# HEAD  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system, domain, project
#"identity:check_grant": "(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))"

# DEPRECATED
# "identity:check_grant":"rule:admin_required" has been deprecated
# since S in favor of "identity:check_grant":"(rule:admin_required) or
# ((role:reader and system_scope:all) or ((role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# (domain_id:%(target.role.domain_id)s or
# None:%(target.role.domain_id)s))".
# The assignment API is now aware of system scope and default roles.

# List roles granted to an actor on a target. A target can be either a
# domain or a project. An actor can be either a user or a group. For
# the OS-INHERIT APIs, it is possible to list inherited role grants
# for actors on domains, where grants are inherited to all projects in
# the specified domain.
# GET  /v3/projects/{project_id}/users/{user_id}/roles
# HEAD  /v3/projects/{project_id}/users/{user_id}/roles
# GET  /v3/projects/{project_id}/groups/{group_id}/roles
# HEAD  /v3/projects/{project_id}/groups/{group_id}/roles
# GET  /v3/domains/{domain_id}/users/{user_id}/roles
# HEAD  /v3/domains/{domain_id}/users/{user_id}/roles
# GET  /v3/domains/{domain_id}/groups/{group_id}/roles
# HEAD  /v3/domains/{domain_id}/groups/{group_id}/roles
# GET  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
# GET  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
# Intended scope(s): system, domain, project
#"identity:list_grants": "(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))"

# DEPRECATED
# "identity:list_grants":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_grants":"(rule:admin_required) or
# ((role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s))".
# The assignment API is now aware of system scope and default roles.

# Create a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# PUT  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# PUT  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# PUT  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# PUT  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# PUT  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system, domain, project
#"identity:create_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) or ((role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and rule:domain_managed_target_role"

# DEPRECATED
# "identity:create_grant":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_grant":"(rule:admin_required)
# or ((role:admin and domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# (domain_id:%(target.role.domain_id)s or
# None:%(target.role.domain_id)s) or ((role:manager and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:manager and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:manager and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:manager and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# rule:domain_managed_target_role".
# The assignment API is now aware of system scope and default roles.

# Revoke a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable. In that case, revoking the role grant in the target
# would remove the logical effect of inheriting it to the target's
# projects subtree.
# DELETE  /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# DELETE  /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# DELETE  /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# DELETE  /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# DELETE  /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE  /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# Intended scope(s): system, domain, project
#"identity:revoke_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) or ((role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and rule:domain_managed_target_role"

# DEPRECATED
# "identity:revoke_grant":"rule:admin_required" has been deprecated
# since S in favor of "identity:revoke_grant":"(rule:admin_required)
# or ((role:admin and domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:admin and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# (domain_id:%(target.role.domain_id)s or
# None:%(target.role.domain_id)s) or ((role:manager and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:manager and
# domain_id:%(target.user.domain_id)s and
# domain_id:%(target.domain.id)s) or (role:manager and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.project.domain_id)s) or (role:manager and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.domain.id)s)) and
# rule:domain_managed_target_role".
# The assignment API is now aware of system scope and default roles.

# List all grants a specific user has on the system.
# ['HEAD', 'GET']  /v3/system/users/{user_id}/roles
# Intended scope(s): system, project
#"identity:list_system_grants_for_user": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_system_grants_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_system_grants_for_user":"rule:admin_required or
# (role:reader and system_scope:all)".
# The assignment API is now aware of system scope and default roles.

# Check if a user has a role on the system.
# ['HEAD', 'GET']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:check_system_grant_for_user": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_system_grant_for_user":"rule:admin_required or
# (role:reader and system_scope:all)".
# The assignment API is now aware of system scope and default roles.

# Grant a user a role on the system.
# ['PUT']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:create_system_grant_for_user": "rule:admin_required"

# DEPRECATED
# "identity:create_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_system_grant_for_user":"rule:admin_required".
# The assignment API is now aware of system scope and default roles.

# Remove a role from a user on the system.
# ['DELETE']  /v3/system/users/{user_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:revoke_system_grant_for_user": "rule:admin_required"

# DEPRECATED
# "identity:revoke_system_grant_for_user":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:revoke_system_grant_for_user":"rule:admin_required".
# The assignment API is now aware of system scope and default roles.

# List all grants a specific group has on the system.
# ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles
# Intended scope(s): system, project
#"identity:list_system_grants_for_group": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_system_grants_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:list_system_grants_for_group":"rule:admin_required or
# (role:reader and system_scope:all)".
# The assignment API is now aware of system scope and default roles.

# Check if a group has a role on the system.
# ['HEAD', 'GET']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:check_system_grant_for_group": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:check_system_grant_for_group":"rule:admin_required or
# (role:reader and system_scope:all)".
# The assignment API is now aware of system scope and default roles.

# Grant a group a role on the system.
# ['PUT']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:create_system_grant_for_group": "rule:admin_required"

# DEPRECATED
# "identity:create_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:create_system_grant_for_group":"rule:admin_required".
# The assignment API is now aware of system scope and default roles.

# Remove a role from a group on the system.
# ['DELETE']  /v3/system/groups/{group_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:revoke_system_grant_for_group": "rule:admin_required"

# DEPRECATED
# "identity:revoke_system_grant_for_group":"rule:admin_required" has
# been deprecated since S in favor of
# "identity:revoke_system_grant_for_group":"rule:admin_required".
# The assignment API is now aware of system scope and default roles.

# Show group details.
# GET  /v3/groups/{group_id}
# HEAD  /v3/groups/{group_id}
# Intended scope(s): system, domain, project
#"identity:get_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"

# DEPRECATED
# "identity:get_group":"rule:admin_required" has been deprecated since
# S in favor of "identity:get_group":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

# List groups.
# GET  /v3/groups
# HEAD  /v3/groups
# Intended scope(s): system, domain, project
#"identity:list_groups": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"

# DEPRECATED
# "identity:list_groups":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_groups":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

# List groups to which a user belongs.
# GET  /v3/users/{user_id}/groups
# HEAD  /v3/users/{user_id}/groups
# Intended scope(s): system, domain, project
#"identity:list_groups_for_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"

# DEPRECATED
# "identity:list_groups_for_user":"rule:admin_or_owner" has been
# deprecated since S in favor of
# "identity:list_groups_for_user":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s".
# The group API is now aware of system scope and default roles.

# Create group.
# POST  /v3/groups
# Intended scope(s): system, domain, project
#"identity:create_group": "(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s)"

# DEPRECATED
# "identity:create_group":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_group":"(rule:admin_required)
# or (role:manager and domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

# Update group.
# PATCH  /v3/groups/{group_id}
# Intended scope(s): system, domain, project
#"identity:update_group": "(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s)"

# DEPRECATED
# "identity:update_group":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_group":"(rule:admin_required)
# or (role:manager and domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

# Delete group.
# DELETE  /v3/groups/{group_id}
# Intended scope(s): system, domain, project
#"identity:delete_group": "(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s)"

# DEPRECATED
# "identity:delete_group":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_group":"(rule:admin_required)
# or (role:manager and domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

# List members of a specific group.
# GET  /v3/groups/{group_id}/users
# HEAD  /v3/groups/{group_id}/users
# Intended scope(s): system, domain, project
#"identity:list_users_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"

# DEPRECATED
# "identity:list_users_in_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_users_in_group":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s)".
# The group API is now aware of system scope and default roles.

# Remove user from group.
# DELETE  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:remove_user_from_group": "(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"

# DEPRECATED
# "identity:remove_user_from_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:remove_user_from_group":"(rule:admin_required) or
# (role:manager and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
# The group API is now aware of system scope and default roles.

# Check whether a user is a member of a group.
# HEAD  /v3/groups/{group_id}/users/{user_id}
# GET  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:check_user_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"

# DEPRECATED
# "identity:check_user_in_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:check_user_in_group":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
# The group API is now aware of system scope and default roles.

# Add user to group.
# PUT  /v3/groups/{group_id}/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:add_user_to_group": "(rule:admin_required) or (role:manager and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"

# DEPRECATED
# "identity:add_user_to_group":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:add_user_to_group":"(rule:admin_required) or (role:manager
# and domain_id:%(target.group.domain_id)s and
# domain_id:%(target.user.domain_id)s)".
# The group API is now aware of system scope and default roles.

# Create identity provider.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system, project
#"identity:create_identity_provider": "rule:admin_required"

# DEPRECATED
# "identity:create_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_identity_provider":"rule:admin_required".
# The identity provider API is now aware of system scope and default
# roles.

# List identity providers.
# GET  /v3/OS-FEDERATION/identity_providers
# HEAD  /v3/OS-FEDERATION/identity_providers
# Intended scope(s): system, project
#"identity:list_identity_providers": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_identity_providers":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_identity_providers":"rule:admin_required or
# (role:reader and system_scope:all)".
# The identity provider API is now aware of system scope and default
# roles.

# Get identity provider.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}
# HEAD  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system, project
#"identity:get_identity_provider": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:get_identity_provider":"rule:admin_required or
# (role:reader and system_scope:all)".
# The identity provider API is now aware of system scope and default
# roles.

# Update identity provider.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system, project
#"identity:update_identity_provider": "rule:admin_required"

# DEPRECATED
# "identity:update_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_identity_provider":"rule:admin_required".
# The identity provider API is now aware of system scope and default
# roles.

# Delete identity provider.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}
# Intended scope(s): system, project
#"identity:delete_identity_provider": "rule:admin_required"

# DEPRECATED
# "identity:delete_identity_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_identity_provider":"rule:admin_required".
# The identity provider API is now aware of system scope and default
# roles.

# Get information about an association between two roles. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system, project
#"identity:get_implied_role": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_implied_role":"rule:admin_required or (role:reader and
# system_scope:all)".
# The implied role API is now aware of system scope and default roles.

# List associations between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. This
# will return all the implied roles that would be assumed by the user
# who gets the specified prior role.
# GET  /v3/roles/{prior_role_id}/implies
# HEAD  /v3/roles/{prior_role_id}/implies
# Intended scope(s): system, project
#"identity:list_implied_roles": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_implied_roles":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_implied_roles":"rule:admin_required or (role:reader
# and system_scope:all)".
# The implied role API is now aware of system scope and default roles.

# Create an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# PUT  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system, project
#"identity:create_implied_role": "rule:admin_required"

# DEPRECATED
# "identity:create_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_implied_role":"rule:admin_required".
# The implied role API is now aware of system scope and default roles.

# Delete the association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. Removing
# the association will cause that effect to be eliminated.
# DELETE  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system, project
#"identity:delete_implied_role": "rule:admin_required"

# DEPRECATED
# "identity:delete_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_implied_role":"rule:admin_required".
# The implied role API is now aware of system scope and default roles.

# List all associations between two roles in the system. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET  /v3/role_inferences
# HEAD  /v3/role_inferences
# Intended scope(s): system, project
#"identity:list_role_inference_rules": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_role_inference_rules":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_role_inference_rules":"rule:admin_required or
# (role:reader and system_scope:all)".
# The implied role API is now aware of system scope and default roles.

# Check an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# HEAD  /v3/roles/{prior_role_id}/implies/{implied_role_id}
# Intended scope(s): system, project
#"identity:check_implied_role": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_implied_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:check_implied_role":"rule:admin_required or (role:reader
# and system_scope:all)".
# The implied role API is now aware of system scope and default roles.

# Get limit enforcement model.
# GET  /v3/limits/model
# HEAD  /v3/limits/model
# Intended scope(s): system, domain, project
#"identity:get_limit_model": ""

# Show limit details.
# GET  /v3/limits/{limit_id}
# HEAD  /v3/limits/{limit_id}
# Intended scope(s): system, domain, project
#"identity:get_limit": "rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)"

# List limits.
# GET  /v3/limits
# HEAD  /v3/limits
# Intended scope(s): system, domain, project
#"identity:list_limits": ""

# Create limits.
# POST  /v3/limits
# Intended scope(s): system, project
#"identity:create_limits": "rule:admin_required"

# Update limit.
# PATCH  /v3/limits/{limit_id}
# Intended scope(s): system, project
#"identity:update_limit": "rule:admin_required"

# Delete limit.
# DELETE  /v3/limits/{limit_id}
# Intended scope(s): system, project
#"identity:delete_limit": "rule:admin_required"

# Create a new federated mapping containing one or more sets of rules.
# PUT  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system, project
#"identity:create_mapping": "rule:admin_required"

# DEPRECATED
# "identity:create_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_mapping":"rule:admin_required".
# The federated mapping API is now aware of system scope and default
# roles.

# Get a federated mapping.
# GET  /v3/OS-FEDERATION/mappings/{mapping_id}
# HEAD  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system, project
#"identity:get_mapping": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_mapping":"rule:admin_required or
# (role:reader and system_scope:all)".
# The federated mapping API is now aware of system scope and default
# roles.

# List federated mappings.
# GET  /v3/OS-FEDERATION/mappings
# HEAD  /v3/OS-FEDERATION/mappings
# Intended scope(s): system, project
#"identity:list_mappings": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_mappings":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_mappings":"rule:admin_required or
# (role:reader and system_scope:all)".
# The federated mapping API is now aware of system scope and default
# roles.

# Delete a federated mapping.
# DELETE  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system, project
#"identity:delete_mapping": "rule:admin_required"

# DEPRECATED
# "identity:delete_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_mapping":"rule:admin_required".
# The federated mapping API is now aware of system scope and default
# roles.

# Update a federated mapping.
# PATCH  /v3/OS-FEDERATION/mappings/{mapping_id}
# Intended scope(s): system, project
#"identity:update_mapping": "rule:admin_required"

# DEPRECATED
# "identity:update_mapping":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_mapping":"rule:admin_required".
# The federated mapping API is now aware of system scope and default
# roles.

# Show policy details.
# GET  /v3/policies/{policy_id}
# Intended scope(s): system, project
#"identity:get_policy": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:get_policy":"rule:admin_required or
# (role:reader and system_scope:all)".
# The policy API is now aware of system scope and default roles.

# List policies.
# GET  /v3/policies
# Intended scope(s): system, project
#"identity:list_policies": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_policies":"rule:admin_required" has been deprecated
# since T in favor of "identity:list_policies":"rule:admin_required or
# (role:reader and system_scope:all)".
# The policy API is now aware of system scope and default roles.

# Create policy.
# POST  /v3/policies
# Intended scope(s): system, project
#"identity:create_policy": "rule:admin_required"

# DEPRECATED
# "identity:create_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:create_policy":"rule:admin_required".
# The policy API is now aware of system scope and default roles.

# Update policy.
# PATCH  /v3/policies/{policy_id}
# Intended scope(s): system, project
#"identity:update_policy": "rule:admin_required"

# DEPRECATED
# "identity:update_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:update_policy":"rule:admin_required".
# The policy API is now aware of system scope and default roles.

# Delete policy.
# DELETE  /v3/policies/{policy_id}
# Intended scope(s): system, project
#"identity:delete_policy": "rule:admin_required"

# DEPRECATED
# "identity:delete_policy":"rule:admin_required" has been deprecated
# since T in favor of "identity:delete_policy":"rule:admin_required".
# The policy API is now aware of system scope and default roles.

# Associate a policy to a specific endpoint.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:create_policy_association_for_endpoint": "rule:admin_required"

# DEPRECATED
# "identity:create_policy_association_for_endpoint":"rule:admin_requir
# ed" has been deprecated since T in favor of "identity:create_policy_
# association_for_endpoint":"rule:admin_required".
# The policy association API is now aware of system scope and default
# roles.

# Check policy association for endpoint.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:check_policy_association_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_policy_association_for_endpoint":"rule:admin_require
# d" has been deprecated since T in favor of "identity:check_policy_as
# sociation_for_endpoint":"rule:admin_required or (role:reader and
# system_scope:all)".
# The policy association API is now aware of system scope and default
# roles.

# Delete policy association for endpoint.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"

# DEPRECATED
# "identity:delete_policy_association_for_endpoint":"rule:admin_requir
# ed" has been deprecated since T in favor of "identity:delete_policy_
# association_for_endpoint":"rule:admin_required".
# The policy association API is now aware of system scope and default
# roles.

# Associate a policy to a specific service.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system, project
#"identity:create_policy_association_for_service": "rule:admin_required"

# DEPRECATED
# "identity:create_policy_association_for_service":"rule:admin_require
# d" has been deprecated since T in favor of "identity:create_policy_a
# ssociation_for_service":"rule:admin_required".
# The policy association API is now aware of system scope and default
# roles.

# Check policy association for service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system, project
#"identity:check_policy_association_for_service": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_policy_association_for_service":"rule:admin_required
# " has been deprecated since T in favor of
# "identity:check_policy_association_for_service":"rule:admin_required
# or (role:reader and system_scope:all)".
# The policy association API is now aware of system scope and default
# roles.

# Delete policy association for service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# Intended scope(s): system, project
#"identity:delete_policy_association_for_service": "rule:admin_required"

# DEPRECATED
# "identity:delete_policy_association_for_service":"rule:admin_require
# d" has been deprecated since T in favor of "identity:delete_policy_a
# ssociation_for_service":"rule:admin_required".
# The policy association API is now aware of system scope and default
# roles.

# Associate a policy to a specific region and service combination.
# PUT  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system, project
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"

# DEPRECATED
# "identity:create_policy_association_for_region_and_service":"rule:ad
# min_required" has been deprecated since T in favor of "identity:crea
# te_policy_association_for_region_and_service":"rule:admin_required".
# The policy association API is now aware of system scope and default
# roles.

# Check policy association for region and service.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# HEAD  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system, project
#"identity:check_policy_association_for_region_and_service": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_policy_association_for_region_and_service":"rule:adm
# in_required" has been deprecated since T in favor of "identity:check
# _policy_association_for_region_and_service":"rule:admin_required or
# (role:reader and system_scope:all)".
# The policy association API is now aware of system scope and default
# roles.

# Delete policy association for region and service.
# DELETE  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# Intended scope(s): system, project
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"

# DEPRECATED
# "identity:delete_policy_association_for_region_and_service":"rule:ad
# min_required" has been deprecated since T in favor of "identity:dele
# te_policy_association_for_region_and_service":"rule:admin_required".
# The policy association API is now aware of system scope and default
# roles.

# Get policy for endpoint.
# GET  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# HEAD  /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# Intended scope(s): system, project
#"identity:get_policy_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_policy_for_endpoint":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:get_policy_for_endpoint":"rule:admin_required or
# (role:reader and system_scope:all)".
# The policy association API is now aware of system scope and default
# roles.

# List endpoints for policy.
# GET  /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
# Intended scope(s): system, project
#"identity:list_endpoints_for_policy": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_endpoints_for_policy":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_endpoints_for_policy":"rule:admin_required or
# (role:reader and system_scope:all)".
# The policy association API is now aware of system scope and default
# roles.

# Show project details.
# GET  /v3/projects/{project_id}
# Intended scope(s): system, domain, project
#"identity:get_project": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"

# DEPRECATED
# "identity:get_project":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since S in
# favor of "identity:get_project":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
# The project API is now aware of system scope and default roles.

# List projects.
# GET  /v3/projects
# Intended scope(s): system, domain, project
#"identity:list_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED
# "identity:list_projects":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_projects":"(rule:admin_required)
# or (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
# The project API is now aware of system scope and default roles.

# List projects for user.
# GET  /v3/users/{user_id}/projects
# Intended scope(s): system, domain, project
#"identity:list_user_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"

# DEPRECATED
# "identity:list_user_projects":"rule:admin_or_owner" has been
# deprecated since S in favor of
# "identity:list_user_projects":"(rule:admin_required) or (role:reader
# and system_scope:all) or (role:reader and
# domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s".
# The project API is now aware of system scope and default roles.

# Create project.
# POST  /v3/projects
# Intended scope(s): system, domain, project
#"identity:create_project": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:create_project":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_project":"(rule:admin_required)
# or (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# Update project.
# PATCH  /v3/projects/{project_id}
# Intended scope(s): system, domain, project
#"identity:update_project": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:update_project":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_project":"(rule:admin_required)
# or (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# Delete project.
# DELETE  /v3/projects/{project_id}
# Intended scope(s): system, domain, project
#"identity:delete_project": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:delete_project":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_project":"(rule:admin_required)
# or (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# List tags for a project.
# GET  /v3/projects/{project_id}/tags
# HEAD  /v3/projects/{project_id}/tags
# Intended scope(s): system, domain, project
#"identity:list_project_tags": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"

# DEPRECATED
# "identity:list_project_tags":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since T in
# favor of "identity:list_project_tags":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
# The project API is now aware of system scope and default roles.

# Check if project contains a tag.
# GET  /v3/projects/{project_id}/tags/{value}
# HEAD  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system, domain, project
#"identity:get_project_tag": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"

# DEPRECATED
# "identity:get_project_tag":"rule:admin_required or
# project_id:%(target.project.id)s" has been deprecated since T in
# favor of "identity:get_project_tag":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.project.domain_id)s) or
# project_id:%(target.project.id)s".
# The project API is now aware of system scope and default roles.

# Replace all tags on a project with the new set of tags.
# PUT  /v3/projects/{project_id}/tags
# Intended scope(s): system, domain, project
#"identity:update_project_tags": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:update_project_tags":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_project_tags":"(rule:admin_required) or
# (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# Add a single tag to a project.
# PUT  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system, domain, project
#"identity:create_project_tag": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:create_project_tag":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_project_tag":"(rule:admin_required) or
# (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# Remove all tags from a project.
# DELETE  /v3/projects/{project_id}/tags
# Intended scope(s): system, domain, project
#"identity:delete_project_tags": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:delete_project_tags":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_project_tags":"(rule:admin_required) or
# (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# Delete a specified tag from project.
# DELETE  /v3/projects/{project_id}/tags/{value}
# Intended scope(s): system, domain, project
#"identity:delete_project_tag": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)"

# DEPRECATED
# "identity:delete_project_tag":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_project_tag":"(rule:admin_required) or
# (role:manager and domain_id:%(target.project.domain_id)s)".
# The project API is now aware of system scope and default roles.

# List projects allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
# Intended scope(s): system, project
#"identity:list_projects_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_projects_for_endpoint":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_projects_for_endpoint":"rule:admin_required or
# (role:reader and system_scope:all)".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

# Allow project to access an endpoint.
# PUT  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:add_endpoint_to_project": "rule:admin_required"

# DEPRECATED
# "identity:add_endpoint_to_project":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:add_endpoint_to_project":"rule:admin_required".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

# Check if a project is allowed to access an endpoint.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# HEAD  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:check_endpoint_in_project": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:check_endpoint_in_project":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:check_endpoint_in_project":"rule:admin_required or
# (role:reader and system_scope:all)".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

# List the endpoints a project is allowed to access.
# GET  /v3/OS-EP-FILTER/projects/{project_id}/endpoints
# Intended scope(s): system, project
#"identity:list_endpoints_for_project": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_endpoints_for_project":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_endpoints_for_project":"rule:admin_required or
# (role:reader and system_scope:all)".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

# Remove access to an endpoint from a project that has previously been
# given explicit access.
# DELETE  /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# Intended scope(s): system, project
#"identity:remove_endpoint_from_project": "rule:admin_required"

# DEPRECATED
# "identity:remove_endpoint_from_project":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:remove_endpoint_from_project":"rule:admin_required".
# As of the Train release, the project endpoint API now understands
# default roles and system-scoped tokens, making the API more granular
# by default without compromising security. The new policy defaults
# account for these changes automatically. Be sure to take these new
# defaults into consideration if you are relying on overrides in your
# deployment for the project endpoint API.

# Create federated protocol.
# PUT  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system, project
#"identity:create_protocol": "rule:admin_required"

# DEPRECATED
# "identity:create_protocol":"rule:admin_required" has been deprecated
# since S in favor of
# "identity:create_protocol":"rule:admin_required".
# The federated protocol API is now aware of system scope and default
# roles.

# Update federated protocol.
# PATCH  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system, project
#"identity:update_protocol": "rule:admin_required"

# DEPRECATED
# "identity:update_protocol":"rule:admin_required" has been deprecated
# since S in favor of
# "identity:update_protocol":"rule:admin_required".
# The federated protocol API is now aware of system scope and default
# roles.

# Get federated protocol.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system, project
#"identity:get_protocol": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_protocol":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_protocol":"rule:admin_required or
# (role:reader and system_scope:all)".
# The federated protocol API is now aware of system scope and default
# roles.

# List federated protocols.
# GET  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
# Intended scope(s): system, project
#"identity:list_protocols": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_protocols":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_protocols":"rule:admin_required
# or (role:reader and system_scope:all)".
# The federated protocol API is now aware of system scope and default
# roles.

# Delete federated protocol.
# DELETE  /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
# Intended scope(s): system, project
#"identity:delete_protocol": "rule:admin_required"

# DEPRECATED
# "identity:delete_protocol":"rule:admin_required" has been deprecated
# since S in favor of
# "identity:delete_protocol":"rule:admin_required".
# The federated protocol API is now aware of system scope and default
# roles.

# Show region details.
# GET  /v3/regions/{region_id}
# HEAD  /v3/regions/{region_id}
# Intended scope(s): system, domain, project
#"identity:get_region": ""

# List regions.
# GET  /v3/regions
# HEAD  /v3/regions
# Intended scope(s): system, domain, project
#"identity:list_regions": ""

# Create region.
# POST  /v3/regions
# PUT  /v3/regions/{region_id}
# Intended scope(s): system, project
#"identity:create_region": "rule:admin_required"

# DEPRECATED
# "identity:create_region":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_region":"rule:admin_required".
# The region API is now aware of system scope and default roles.

# Update region.
# PATCH  /v3/regions/{region_id}
# Intended scope(s): system, project
#"identity:update_region": "rule:admin_required"

# DEPRECATED
# "identity:update_region":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_region":"rule:admin_required".
# The region API is now aware of system scope and default roles.

# Delete region.
# DELETE  /v3/regions/{region_id}
# Intended scope(s): system, project
#"identity:delete_region": "rule:admin_required"

# DEPRECATED
# "identity:delete_region":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_region":"rule:admin_required".
# The region API is now aware of system scope and default roles.

# Show registered limit details.
# GET  /v3/registered_limits/{registered_limit_id}
# HEAD  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system, domain, project
#"identity:get_registered_limit": ""

# List registered limits.
# GET  /v3/registered_limits
# HEAD  /v3/registered_limits
# Intended scope(s): system, domain, project
#"identity:list_registered_limits": ""

# Create registered limits.
# POST  /v3/registered_limits
# Intended scope(s): system, project
#"identity:create_registered_limits": "rule:admin_required"

# Update registered limit.
# PATCH  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system, project
#"identity:update_registered_limit": "rule:admin_required"

# Delete registered limit.
# DELETE  /v3/registered_limits/{registered_limit_id}
# Intended scope(s): system, project
#"identity:delete_registered_limit": "rule:admin_required"

# List revocation events.
# GET  /v3/OS-REVOKE/events
# Intended scope(s): system, project
#"identity:list_revoke_events": "rule:service_or_admin"

# Show role details.
# GET  /v3/roles/{role_id}
# HEAD  /v3/roles/{role_id}
# Intended scope(s): system, domain, project
#"identity:get_role": "(rule:admin_required or (role:reader and system_scope:all)) or (role:manager and rule:domain_managed_target_role)"

# DEPRECATED
# "identity:get_role":"rule:admin_required" has been deprecated since
# S in favor of "identity:get_role":"(rule:admin_required or
# (role:reader and system_scope:all)) or (role:manager and
# rule:domain_managed_target_role)".
# The role API is now aware of system scope and default roles.

# List roles.
# GET  /v3/roles
# HEAD  /v3/roles
# Intended scope(s): system, domain, project
#"identity:list_roles": "(rule:admin_required or (role:reader and system_scope:all)) or (role:manager and not domain_id:None)"

# DEPRECATED
# "identity:list_roles":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_roles":"(rule:admin_required or
# (role:reader and system_scope:all)) or (role:manager and not
# domain_id:None)".
# The role API is now aware of system scope and default roles.

# Create role.
# POST  /v3/roles
# Intended scope(s): system, project
#"identity:create_role": "rule:admin_required"

# DEPRECATED
# "identity:create_role":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_role":"rule:admin_required".
# The role API is now aware of system scope and default roles.

# Update role.
# PATCH  /v3/roles/{role_id}
# Intended scope(s): system, project
#"identity:update_role": "rule:admin_required"

# DEPRECATED
# "identity:update_role":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_role":"rule:admin_required".
# The role API is now aware of system scope and default roles.

# Delete role.
# DELETE  /v3/roles/{role_id}
# Intended scope(s): system, project
#"identity:delete_role": "rule:admin_required"

# DEPRECATED
# "identity:delete_role":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_role":"rule:admin_required".
# The role API is now aware of system scope and default roles.

# Show domain role.
# GET  /v3/roles/{role_id}
# HEAD  /v3/roles/{role_id}
# Intended scope(s): system, project
#"identity:get_domain_role": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_domain_role":"rule:admin_required" has been deprecated
# since T in favor of "identity:get_domain_role":"rule:admin_required
# or (role:reader and system_scope:all)".
# The role API is now aware of system scope and default roles.

# List domain roles.
# GET  /v3/roles?domain_id={domain_id}
# HEAD  /v3/roles?domain_id={domain_id}
# Intended scope(s): system, project
#"identity:list_domain_roles": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_domain_roles":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:list_domain_roles":"rule:admin_required or (role:reader
# and system_scope:all)".
# The role API is now aware of system scope and default roles.

# Create domain role.
# POST  /v3/roles
# Intended scope(s): system, project
#"identity:create_domain_role": "rule:admin_required"

# DEPRECATED
# "identity:create_domain_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:create_domain_role":"rule:admin_required".
# The role API is now aware of system scope and default roles.

# Update domain role.
# PATCH  /v3/roles/{role_id}
# Intended scope(s): system, project
#"identity:update_domain_role": "rule:admin_required"

# DEPRECATED
# "identity:update_domain_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:update_domain_role":"rule:admin_required".
# The role API is now aware of system scope and default roles.

# Delete domain role.
# DELETE  /v3/roles/{role_id}
# Intended scope(s): system, project
#"identity:delete_domain_role": "rule:admin_required"

# DEPRECATED
# "identity:delete_domain_role":"rule:admin_required" has been
# deprecated since T in favor of
# "identity:delete_domain_role":"rule:admin_required".
# The role API is now aware of system scope and default roles.

# List role assignments.
# GET  /v3/role_assignments
# HEAD  /v3/role_assignments
# Intended scope(s): system, domain, project
#"identity:list_role_assignments": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED
# "identity:list_role_assignments":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_role_assignments":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
# The assignment API is now aware of system scope and default roles.

# List all role assignments for a given tree of hierarchical projects.
# GET  /v3/role_assignments?include_subtree
# HEAD  /v3/role_assignments?include_subtree
# Intended scope(s): system, domain, project
#"identity:list_role_assignments_for_tree": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED
# "identity:list_role_assignments_for_tree":"rule:admin_required" has
# been deprecated since T in favor of
# "identity:list_role_assignments_for_tree":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
# The assignment API is now aware of system scope and default roles.

# Show service details.
# GET  /v3/services/{service_id}
# Intended scope(s): system, project
#"identity:get_service": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:get_service":"rule:admin_required or
# (role:reader and system_scope:all)".
# The service API is now aware of system scope and default roles.

# List services.
# GET  /v3/services
# Intended scope(s): system, project
#"identity:list_services": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_services":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_services":"rule:admin_required or
# (role:reader and system_scope:all)".
# The service API is now aware of system scope and default roles.

# Create service.
# POST  /v3/services
# Intended scope(s): system, project
#"identity:create_service": "rule:admin_required"

# DEPRECATED
# "identity:create_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_service":"rule:admin_required".
# The service API is now aware of system scope and default roles.

# Update service.
# PATCH  /v3/services/{service_id}
# Intended scope(s): system, project
#"identity:update_service": "rule:admin_required"

# DEPRECATED
# "identity:update_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_service":"rule:admin_required".
# The service API is now aware of system scope and default roles.

# Delete service.
# DELETE  /v3/services/{service_id}
# Intended scope(s): system, project
#"identity:delete_service": "rule:admin_required"

# DEPRECATED
# "identity:delete_service":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_service":"rule:admin_required".
# The service API is now aware of system scope and default roles.

# Create federated service provider.
# PUT  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system, project
#"identity:create_service_provider": "rule:admin_required"

# DEPRECATED
# "identity:create_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:create_service_provider":"rule:admin_required".
# The service provider API is now aware of system scope and default
# roles.

# List federated service providers.
# GET  /v3/OS-FEDERATION/service_providers
# HEAD  /v3/OS-FEDERATION/service_providers
# Intended scope(s): system, project
#"identity:list_service_providers": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_service_providers":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:list_service_providers":"rule:admin_required or
# (role:reader and system_scope:all)".
# The service provider API is now aware of system scope and default
# roles.

# Get federated service provider.
# GET  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# HEAD  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system, project
#"identity:get_service_provider": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:get_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:get_service_provider":"rule:admin_required or (role:reader
# and system_scope:all)".
# The service provider API is now aware of system scope and default
# roles.

# Update federated service provider.
# PATCH  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system, project
#"identity:update_service_provider": "rule:admin_required"

# DEPRECATED
# "identity:update_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:update_service_provider":"rule:admin_required".
# The service provider API is now aware of system scope and default
# roles.

# Delete federated service provider.
# DELETE  /v3/OS-FEDERATION/service_providers/{service_provider_id}
# Intended scope(s): system, project
#"identity:delete_service_provider": "rule:admin_required"

# DEPRECATED
# "identity:delete_service_provider":"rule:admin_required" has been
# deprecated since S in favor of
# "identity:delete_service_provider":"rule:admin_required".
# The service provider API is now aware of system scope and default
# roles.

# DEPRECATED
# "identity:revocation_list" has been deprecated since T.
# The identity:revocation_list policy isn't used to protect any APIs
# in keystone now that the revocation list API has been deprecated and
# only returns a 410 or 403 depending on how keystone is configured.
# This policy can be safely removed from policy files.
# List revoked PKI tokens.
# GET  /v3/auth/tokens/OS-PKI/revoked
# Intended scope(s): system, project
#"identity:revocation_list": "rule:service_or_admin"

# Check a token.
# HEAD  /v3/auth/tokens
# Intended scope(s): system, domain, project
#"identity:check_token": "rule:admin_required or (role:reader and system_scope:all) or rule:token_subject"

# DEPRECATED
# "identity:check_token":"rule:admin_or_token_subject" has been
# deprecated since T in favor of
# "identity:check_token":"rule:admin_required or (role:reader and
# system_scope:all) or rule:token_subject".
# The token API is now aware of system scope and default roles.

# Validate a token.
# GET  /v3/auth/tokens
# Intended scope(s): system, domain, project
#"identity:validate_token": "rule:admin_required or (role:reader and system_scope:all) or rule:service_role or rule:token_subject"

# DEPRECATED
# "identity:validate_token":"rule:service_admin_or_token_subject" has
# been deprecated since T in favor of
# "identity:validate_token":"rule:admin_required or (role:reader and
# system_scope:all) or rule:service_role or rule:token_subject".
# The token API is now aware of system scope and default roles.

# Revoke a token.
# DELETE  /v3/auth/tokens
# Intended scope(s): system, domain, project
#"identity:revoke_token": "rule:admin_required or rule:token_subject"

# DEPRECATED
# "identity:revoke_token":"rule:admin_or_token_subject" has been
# deprecated since T in favor of
# "identity:revoke_token":"rule:admin_required or rule:token_subject".
# The token API is now aware of system scope and default roles.

# Create trust.
# POST  /v3/OS-TRUST/trusts
# Intended scope(s): project
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"

# List trusts.
# GET  /v3/OS-TRUST/trusts
# HEAD  /v3/OS-TRUST/trusts
# Intended scope(s): system, project
#"identity:list_trusts": "rule:admin_required or (role:reader and system_scope:all)"

# DEPRECATED
# "identity:list_trusts":"rule:admin_required" has been deprecated
# since T in favor of "identity:list_trusts":"rule:admin_required or
# (role:reader and system_scope:all)".
# The trust API is now aware of system scope and default roles.

# List trusts for trustor.
# GET  /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
# HEAD  /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
# Intended scope(s): system, project
#"identity:list_trusts_for_trustor": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)"

# List trusts for trustee.
# GET  /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
# HEAD  /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
# Intended scope(s): system, project
#"identity:list_trusts_for_trustee": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)"

# List roles delegated by a trust.
# GET  /v3/OS-TRUST/trusts/{trust_id}/roles
# HEAD  /v3/OS-TRUST/trusts/{trust_id}/roles
# Intended scope(s): system, project
#"identity:list_roles_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)"

# DEPRECATED
# "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user
# _id)s or user_id:%(target.trust.trustee_user_id)s" has been
# deprecated since T in favor of
# "identity:list_roles_for_trust":"(rule:admin_required) or
# (role:reader and system_scope:all or
# user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s)".
# The trust API is now aware of system scope and default roles.

# Check if trust delegates a particular role.
# GET  /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# HEAD  /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
# Intended scope(s): system, project
#"identity:get_role_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)"

# DEPRECATED
# "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i
# d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated
# since T in favor of
# "identity:get_role_for_trust":"(rule:admin_required) or (role:reader
# and system_scope:all or user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s)".
# The trust API is now aware of system scope and default roles.

# Revoke trust.
# DELETE  /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): system, project
#"identity:delete_trust": "rule:admin_required or user_id:%(target.trust.trustor_user_id)s"

# DEPRECATED
# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s"
# has been deprecated since T in favor of
# "identity:delete_trust":"rule:admin_required or
# user_id:%(target.trust.trustor_user_id)s".
# The trust API is now aware of system scope and default roles.

# Get trust.
# GET  /v3/OS-TRUST/trusts/{trust_id}
# HEAD  /v3/OS-TRUST/trusts/{trust_id}
# Intended scope(s): system, project
#"identity:get_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)"

# DEPRECATED
# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s" has been deprecated since
# T in favor of "identity:get_trust":"(rule:admin_required) or
# (role:reader and system_scope:all or
# user_id:%(target.trust.trustor_user_id)s or
# user_id:%(target.trust.trustee_user_id)s)".
# The trust API is now aware of system scope and default roles.

# Show user details.
# GET  /v3/users/{user_id}
# HEAD  /v3/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:get_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"

# DEPRECATED
# "identity:get_user":"rule:admin_or_owner" has been deprecated since
# S in favor of "identity:get_user":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# token.domain.id:%(target.user.domain_id)s) or
# user_id:%(target.user.id)s".
# The user API is now aware of system scope and default roles.

# List users.
# GET  /v3/users
# HEAD  /v3/users
# Intended scope(s): system, domain, project
#"identity:list_users": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

# DEPRECATED
# "identity:list_users":"rule:admin_required" has been deprecated
# since S in favor of "identity:list_users":"(rule:admin_required) or
# (role:reader and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".
# The user API is now aware of system scope and default roles.

# List all projects a user has access to via role assignments.
# GET   /v3/auth/projects
#"identity:list_projects_for_user": ""

# List all domains a user has access to via role assignments.
# GET  /v3/auth/domains
#"identity:list_domains_for_user": ""

# Create a user.
# POST  /v3/users
# Intended scope(s): system, domain, project
#"identity:create_user": "(rule:admin_required) or (role:manager and token.domain.id:%(target.user.domain_id)s)"

# DEPRECATED
# "identity:create_user":"rule:admin_required" has been deprecated
# since S in favor of "identity:create_user":"(rule:admin_required) or
# (role:manager and token.domain.id:%(target.user.domain_id)s)".
# The user API is now aware of system scope and default roles.

# Update a user, including administrative password resets.
# PATCH  /v3/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:update_user": "(rule:admin_required) or (role:manager and token.domain.id:%(target.user.domain_id)s)"

# DEPRECATED
# "identity:update_user":"rule:admin_required" has been deprecated
# since S in favor of "identity:update_user":"(rule:admin_required) or
# (role:manager and token.domain.id:%(target.user.domain_id)s)".
# The user API is now aware of system scope and default roles.

# Delete a user.
# DELETE  /v3/users/{user_id}
# Intended scope(s): system, domain, project
#"identity:delete_user": "(rule:admin_required) or (role:manager and token.domain.id:%(target.user.domain_id)s)"

# DEPRECATED
# "identity:delete_user":"rule:admin_required" has been deprecated
# since S in favor of "identity:delete_user":"(rule:admin_required) or
# (role:manager and token.domain.id:%(target.user.domain_id)s)".
# The user API is now aware of system scope and default roles.