文档首页/ 统一身份认证服务 IAM/ API参考/ 权限及授权项/ 授权项

更新时间：2025-08-15 GMT+08:00

查看PDF

授权项

Token管理

权限	对应API接口	授权项（Action）	IAM项目 (Project)	企业项目 (Enterprise Project)
获取委托Token	POST /v3/auth/tokens	iam:tokens:assume	-	-

权限

对应API接口

授权项（Action）

IAM项目

(Project)

企业项目

(Enterprise Project)

获取委托Token

POST /v3/auth/tokens

iam:tokens:assume

访问密钥管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询所有永久访问密钥	GET /v3.0/OS-CREDENTIAL/credentials	iam:credentials:listCredentials	-	-
查询指定永久访问密钥	GET /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam:credentials:getCredential	-	-
创建永久访问密钥	POST /v3.0/OS-CREDENTIAL/credentials	iam:credentials:createCredential	-	-
修改指定永久访问密钥	PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam:credentials:updateCredential	-	-
删除指定永久访问密钥	DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam:credentials:deleteCredential	-	-

虚拟MFA管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
绑定MFA设备	PUT /v3.0/OS-MFA/mfa-devices/bind	iam:mfa:bindMFADevice	-	-
解绑MFA设备	PUT /v3.0/OS-MFA/mfa-devices/unbind	iam:mfa:unbindMFADevice	-	-
创建虚拟MFA设备密钥	POST /v3.0/OS-MFA/virtual-mfa-devices	iam:mfa:createVirtualMFADevice	-	-
删除MFA设备	DELETE /v3.0/OS-MFA/virtual-mfa-devices	iam:mfa:deleteVirtualMFADevice	-	-

项目管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询项目列表	GET /v3/projects	iam:projects:listProjects	-	-
创建项目	POST /v3/projects	iam:projects:createProject	-	-
修改项目信息	PATCH /v3/projects/{project_id}	iam:projects:updateProject	-	-
设置项目状态	PUT /v3-ext/projects/{project_id}	iam:projects:updateProject	-	-
查询指定IAM用户的项目列表	GET /v3/users/{user_id}/projects	iam:projects:listProjectsForUser	-	-
删除指定项目	×	iam:projects:deleteProject	-	-
查询指定项目的配额	GET /v3.0/OS-QUOTA/projects/{project_id}	iam:quotas:listQuotasForProject	-	-

账号管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询账号配额	GET /v3.0/OS-QUOTA/domains/{domain_id}	iam:quotas:listQuotas	-	-

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询账号配额

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:listQuotas

IAM用户管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
管理员查询IAM用户列表	GET /v3/users	iam:users:listUsers	-	-
管理员创建IAM用户	POST /v3/users	iam:users:createUser	-	-
管理员修改IAM用户信息	PATCH /v3/users/{user_id}	iam:users:updateUser	-	-
管理员删除IAM用户	DELETE /v3/users/{user_id}	iam:users:deleteUser	-	-
管理员创建IAM用户（推荐）	POST /v3.0/OS-USER/users	iam:users:createUser	-	-
查询用户详情(包含邮箱和手机号码)	GET /v3.0/OS-USER/users/{user_id}	iam:users:getUser	-	-
查询IAM用户详情	GET /v3/users/{user_id}	iam:users:getUser	-	-
管理员重置IAM用户密码	×	iam:users:resetUserPassword	-	-
设置登录保护	×	iam:users:setUserLoginProtect	-	-
查询指定项目上有权限的用户列表	×	iam:users:listUsersForProject	-	-
查询IAM用户的MFA绑定信息列表	GET /v3.0/OS-MFA/virtual-mfa-devices	iam:mfa:listVirtualMFADevices	-	-
查询指定IAM用户的MFA绑定信息	GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device	iam:mfa:getVirtualMFADevice	-	-
查询IAM用户的登录保护状态信息列表	GET /v3.0/OS-USER/login-protects	iam:users:listUserLoginProtects	-	-
查询指定IAM用户的登录保护状态信息	GET /v3.0/OS-USER/users/{user_id}/login-protect	iam:users:getUserLoginProtect	-	-

用户组管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询IAM用户所属用户组	GET /v3/users/{user_id}/groups	iam:groups:listGroupsForUser	-	-
管理员查询用户组所包含的IAM用户	GET /v3/groups/{group_id}/users	iam:users:listUsersForGroup	-	-
查询用户组列表	GET /v3/groups	iam:groups:listGroups	-	-
查询用户组详情	GET /v3/groups/{group_id}	iam:groups:getGroup	-	-
创建用户组	POST /v3/groups	iam:groups:createGroup	-	-
更新用户组	PATCH /v3/groups/{group_id}	iam:groups:updateGroup	-	-
删除用户组	DELETE /v3/groups/{group_id}	iam:groups:deleteGroup iam:permissions:removeUserFromGroup iam:permissions:revokeRoleFromGroup iam:permissions:revokeRoleFromGroupOnProject iam:permissions:revokeRoleFromGroupOnDomain	-	-
查询用户是否在用户组中	HEAD /v3/groups/{group_id}/users/{user_id}	iam:permissions:checkUserInGroup	-	-
添加IAM用户到用户组	PUT /v3/groups/{group_id}/users/{user_id}	iam:permissions:addUserToGroup	-	-
移除用户组中的IAM用户	DELETE /v3/groups/{group_id}/users/{user_id}	iam:permissions:removeUserFromGroup	-	-

权限管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询权限列表	GET /v3/roles	iam:roles:listRoles	-	-
查询权限详情	GET /v3/roles/{role_id}	iam:roles:getRole	-	-
查询租户授权信息	GET /v3.0/OS-PERMISSION/role-assignments	iam:permissions:listRoleAssignments	√	√
查询全局服务中的用户组权限	GET /v3/domains/{domain_id}/groups/{group_id}/roles	iam:permissions:listRolesForGroupOnDomain	-	-
查询项目服务中的用户组权限	GET /v3/projects/{project_id}/groups/{group_id}/roles	iam:permissions:listRolesForGroupOnProject	-	-
为用户组授予全局服务权限	PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:permissions:grantRoleToGroupOnDomain	-	-
为用户组授予项目服务权限	PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:grantRoleToGroupOnProject	-	-
移除用户组的项目服务权限	DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:revokeRoleFromGroupOnProject	-	-
移除用户组的全局服务权限	DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:permissions:revokeRoleFromGroupOnDomain	-	-
查询用户组是否拥有全局服务权限	HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:permissions:checkRoleForGroupOnDomain	-	-
查询用户组是否拥有项目服务权限	HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:checkRoleForGroupOnProject	-	-
为用户组授予所有项目服务权限	PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects	iam:permissions:grantRoleToGroup	-	-
查询用户在指定项目上拥有的权限	×	iam:permissions:listRolesForUserOnProject	-	-
查询用户组的所有权限	×	iam:permissions:listRolesForGroup	-	-
查询用户组是否拥有指定权限	×	iam:permissions:checkRoleForGroup	-	-
移除用户组的指定权限	×	iam:permissions:revokeRoleFromGroup	-	-
查询账号授权记录	×	iam:permissions:listRoleAssignments	-	-

自定义策略管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询自定义策略列表	GET /v3.0/OS-ROLE/roles	iam:roles:listRoles	-	-
查询自定义策略详情	GET /v3.0/OS-ROLE/roles/{role_id}	iam:roles:getRole	-	-
创建云服务自定义策略	POST /v3.0/OS-ROLE/roles	iam:roles:createRole	-	-
修改云服务自定义策略	PATCH /v3.0/OS-ROLE/roles/{role_id}	iam:roles:updateRole	-	-
删除自定义策略	DELETE /v3.0/OS-ROLE/roles/{role_id}	iam:roles:deleteRole	-	-

委托管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
创建委托	POST /v3.0/OS-AGENCY/agencies	iam:agencies:createAgency	-	-
查询指定条件下的委托列表	GET /v3.0/OS-AGENCY/agencies	iam:agencies:listAgencies	-	-
查询委托详情	GET /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:getAgency	-	-
修改委托	PUT /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:updateAgency	-	-
删除委托	DELETE /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:deleteAgency	-	-
为委托授予项目服务权限	PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:grantRoleToAgencyOnProject	-	-
查询委托是否拥有项目服务权限	HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:checkRoleForAgencyOnProject	-	-
查询项目服务中的委托权限	GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles	iam:permissions:listRolesForAgencyOnProject	-	-
移除委托的项目服务权限	DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:revokeRoleFromAgencyOnProject	-	-
为委托授予全局服务权限	PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:grantRoleToAgencyOnDomain	-	-
查询委托是否拥有全局服务权限	HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:checkRoleForAgencyOnDomain	-	-
查询全局服务中的委托权限	GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles	iam:permissions:listRolesForAgencyOnDomain	-	-
移除委托的全局服务权限	DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:revokeRoleFromAgencyOnDomain	-	-
查询委托的所有权限	GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects	iam:permissions:listRolesForAgency	-	-
查询委托是否拥有指定权限	HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:permissions:checkRoleForAgency	-	-
为委托授予指定权限	PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:permissions:grantRoleToAgency	-	-
移除委托的指定权限	DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:permissions:revokeRoleFromAgency	-	-

企业项目管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询企业项目关联的用户组	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups	iam:permissions:listGroupsOnEnterpriseProject	-	√
查询企业项目已关联用户组的权限	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles	iam:permissions:listRolesForGroupOnEnterpriseProject	-	√
基于用户组为企业项目授权	PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:grantRoleToGroupOnEnterpriseProject	-	√
删除企业项目关联的用户组权限	DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:revokeRoleFromGroupOnEnterpriseProject	-	√
查询用户组关联的企业项目	GET /v3.0/OS-PERMISSION/groups/{group_id}/enterprise-projects	iam:permissions:listEnterpriseProjectsForGroup	-	√
查询用户直接关联的企业项目	GET /v3.0/OS-PERMISSION/users/{user_id}/enterprise-projects	iam:permissions:listEnterpriseProjectsForUser	-	√
查询企业项目直接关联用户	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users	iam:permissions:listUsersForEnterpriseProject	-	√
查询企业项目直接关联用户的角色	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles	iam:permissions:listRolesForUserOnEnterpriseProject	-	√
基于用户为企业项目授权	PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}	iam:permissions:grantRoleToUserOnEnterpriseProject	-	√
删除企业项目直接关联用户的权限	DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}	iam:permissions:revokeRoleFromUserOnEnterpriseProject	-	√

安全设置

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
修改账号操作保护策略	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy	iam:securitypolicies:updateProtectPolicy	-	-
查询账号操作保护策略	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy	iam:securitypolicies:getProtectPolicy	-	-
修改账号密码策略	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy	iam:securitypolicies:updatePasswordPolicy	-	-
查询账号密码策略	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy	iam:securitypolicies:getPasswordPolicy	-	-
修改账号登录策略	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy	iam:securitypolicies:updateLoginPolicy	-	-
查询账号登录策略	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy	iam:securitypolicies:getLoginPolicy	-	-
修改账号控制台访问策略	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy	iam:securitypolicies:updateConsoleAclPolicy	-	-
查询账号控制台访问策略	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy	iam:securitypolicies:getConsoleAclPolicy	-	-
修改账号接口访问策略	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy	iam:securitypolicies:updateApiAclPolicy	-	-
查询账号接口访问策略	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy	iam:securitypolicies:getApiAclPolicy	-	-

联邦身份认证管理

权限	对应API接口	授权项	IAM项目 (Project)	企业项目 (Enterprise Project)
查询身份提供商列表	GET /v3/OS-FEDERATION/identity_providers	iam:identityProviders:listIdentityProviders	-	-
查询身份提供商详情	GET /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:getIdentityProvider	-	-
创建SAML身份提供商	PUT /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:createIdentityProvider	-	-
修改SAML身份提供商配置	PATCH /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:updateIdentityProvider	-	-
删除SAML身份提供商	DELETE /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:deleteIdentityProvider	-	-
创建OIDC身份提供商	POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:createOpenIDConnectConfig	-	-
修改OIDC身份提供商配置	PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:updateOpenIDConnectConfig	-	-
查询OIDC身份提供商	GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:getOpenIDConnectConfig	-	-
查询映射列表	GET /v3/OS-FEDERATION/mappings	iam:identityProviders:listMappings	-	-
查询映射详情	GET /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:getMapping	-	-
注册映射	PUT /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:createMapping	-	-
更新映射	PATCH /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:updateMapping	-	-
删除映射	DELETE /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:deleteMapping	-	-
查询协议列表	GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols	iam:identityProviders:listProtocols	-	-
查询协议详情	GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:getProtocol	-	-
注册协议	PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:createProtocol	-	-
更新协议	PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:updateProtocol	-	-
删除协议	DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:deleteProtocol	-	-
查询Metadata文件	GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata	iam:identityProviders:getIDPMetadata	-	-
导入Metadata文件	POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata	iam:identityProviders:createIDPMetadata	-	-

父主题： 权限及授权项

上一篇：权限及授权项说明

下一篇：附录

意见反馈

文档内容是否对您有帮助？

有帮助没帮助

提供反馈

提交成功！非常感谢您的反馈，我们会继续努力做到更好！您可在我的云声建议查看反馈及问题处理状态。

系统繁忙，请稍后重试

在使用文档中是否遇到以下问题

内容与产品页面不一致

内容不易理解

缺失示例代码

步骤不可操作

搜不到想要的内容

缺少最佳实践

意见反馈（选填）

0/500

请至少选择一项反馈信息并填写问题反馈

字符长度不能超过500

直接提交取消

如您有其它疑问，您也可以通过华为云社区问答频道来与我们联系探讨

盘古Doer提问云社区提问

授权项