Help Center> Identity and Access Management> API Reference> Permissions and Actions> Actions

Actions

Token Management

Permission	API	Action	IAM Project	Enterprise Project
Obtaining an Agency Token	POST /v3/auth/tokens	iam:tokens:assume	-	-

Access Key Management

Permission	API	Action	IAM Project	Enterprise Project
Listing Permanent Access Keys	GET /v3.0/OS-CREDENTIAL/credentials	iam:credentials:listCredentials	-	-
Querying a Permanent Access Key	GET /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam:credentials:getCredential	-	-
Creating a Permanent Access Key	POST /v3.0/OS-CREDENTIAL/credentials	iam:credentials:createCredential	-	-
Modifying a Permanent Access Key	PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam:credentials:updateCredential	-	-
Deleting a Permanent Access Key	DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}	iam:credentials:deleteCredential	-	-

Virtual MFA Device Management

Permission	API	Action	IAM Project	Enterprise Project
Binding a Virtual MFA Device	PUT /v3.0/OS-MFA/mfa-devices/bind	iam:mfa:bindMFADevice	-	-
Unbinding a Virtual MFA Device	PUT /v3.0/OS-MFA/mfa-devices/unbind	iam:mfa:unbindMFADevice	-	-
Generating a Secret Key for Binding a Virtual MFA Device	POST /v3.0/OS-MFA/virtual-mfa-devices	iam:mfa:createVirtualMFADevice	-	-
Deleting a Virtual MFA Device	DELETE /v3.0/OS-MFA/virtual-mfa-devices	iam:mfa:deleteVirtualMFADevice	-	-

Project Management

Permission	API	Action	IAM Project	Enterprise Project
Listing Projects	GET /v3/projects	iam:projects:listProjects	-	-
Creating a Project	POST /v3/projects	iam:projects:createProject	-	-
Modifying Project Information	PATCH /v3/projects/{project_id}	iam:projects:updateProject	-	-
Changing Project Status	PUT /v3-ext/projects/{project_id}	iam:projects:updateProject	-	-
Listing the Projects Accessible to a User	GET /v3/users/{user_id}/projects	iam:projects:listProjectsForUser	-	-
Deleting a Project	×	iam:projects:deleteProject	-	-
Querying the Quotas of a Project	GET /v3.0/OS-QUOTA/projects/{project_id}	iam:quotas:listQuotasForProject	-	-

Account Management

Permission	API	Action	IAM Project (Project)	Enterprise Project (Enterprise Project)
Querying the Quotas of an Account	GET /v3.0/OS-QUOTA/domains/{domain_id}	iam:quotas:listQuotas	-	-

Permission

API

Action

IAM Project

(Project)

Enterprise Project

(Enterprise Project)

Querying the Quotas of an Account

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:listQuotas

IAM User Management

Permission	API	Action	IAM Project	Enterprise Project
Listing IAM Users	GET /v3/users	iam:users:listUsers	-	-
Creating an IAM User	POST /v3/users	iam:users:createUser	-	-
Modifying User Information	PATCH /v3/users/{user_id}	iam:users:updateUser	-	-
Deleting an IAM User	DELETE /v3/users/{user_id}	iam:users:deleteUser	-	-
Creating an IAM User (Recommended)	POST /v3.0/OS-USER/users	iam:users:createUser	-	-
Querying IAM User Details (Including Email Address and Mobile Number)	GET /v3.0/OS-USER/users/{user_id}	iam:users:getUser	-	-
Querying IAM User Details	GET /v3/users/{user_id}	iam:users:getUser	-	-
Resetting an IAM User's Password	×	iam:users:resetUserPassword	-	-
Configuring Login Protection	×	iam:users:setUserLoginProtect	-	-
Listing Users Who Have Access to a Specified Project	×	iam:users:listUsersForProject	-	-
Querying MFA Device Information of IAM Users	GET /v3.0/OS-MFA/virtual-mfa-devices	iam:mfa:listVirtualMFADevices	-	-
Querying the MFA Device Information of an IAM User	GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device	iam:mfa:getVirtualMFADevice	-	-
Querying Login Protection Configurations of IAM Users	GET /v3.0/OS-USER/login-protects	iam:users:listUserLoginProtects	-	-
Querying the Login Protection Configuration of an IAM User	GET /v3.0/OS-USER/users/{user_id}/login-protect	iam:users:getUserLoginProtect	-	-

User Group Management

Permission	API	Action	IAM Project	Enterprise Project
Querying the User Groups to Which an IAM User Belongs	GET /v3/users/{user_id}/groups	iam:groups:listGroupsForUser	-	-
Querying the IAM Users in a Group	GET /v3/groups/{group_id}/users	iam:users:listUsersForGroup	-	-
Listing User Groups	GET /v3/groups	iam:groups:listGroups	-	-
Querying User Group Details	GET /v3/groups/{group_id}	iam:groups:getGroup	-	-
Creating a User Group	POST /v3/groups	iam:groups:createGroup	-	-
Updating User Group Information	PATCH /v3/groups/{group_id}	iam:groups:updateGroup	-	-
Deleting a User Group	DELETE /v3/groups/{group_id}	iam:groups:deleteGroup iam:permissions:removeUserFromGroup iam:permissions:revokeRoleFromGroup iam:permissions:revokeRoleFromGroupOnProject iam:permissions:revokeRoleFromGroupOnDomain	-	-
Checking Whether an IAM User Belongs to a User Group	HEAD /v3/groups/{group_id}/users/{user_id}	iam:permissions:checkUserInGroup	-	-
Adding an IAM User to a User Group	PUT /v3/groups/{group_id}/users/{user_id}	iam:permissions:addUserToGroup	-	-
Removing an IAM User from a User Group	DELETE /v3/groups/{group_id}/users/{user_id}	iam:permissions:removeUserFromGroup	-	-

Permissions Management

Permission	API	Action	IAM Project	Enterprise Project
Listing Permissions	GET /v3/roles	iam:roles:listRoles	-	-
Querying Permission Details	GET /v3/roles/{role_id}	iam:roles:getRole	-	-
Querying Permissions of a User Group for the Global Service Project	GET /v3/domains/{domain_id}/groups/{group_id}/roles	iam:permissions:listRolesForGroupOnDomain	-	-
Querying Permissions of a User Group for a Region-specific Project	GET /v3/projects/{project_id}/groups/{group_id}/roles	iam:permissions:listRolesForGroupOnProject	-	-
Granting Permissions to a User Group for the Global Service Project	PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:permissions:grantRoleToGroupOnDomain	-	-
Granting Permissions to a User Group for a Region-specific Project	PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:grantRoleToGroupOnProject	-	-
Removing Permissions of a User Group for a Region-specific Project	DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:revokeRoleFromGroupOnProject	-	-
Removing Permissions of a User Group for the Global Service Project	DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:permissions:revokeRoleFromGroupOnDomain	-	-
Checking Whether a User Group Has Specified Permissions for the Global Service Project	HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}	iam:permissions:checkRoleForGroupOnDomain	-	-
Checking Whether a User Group Has Specified Permissions for a Region-specific Project	HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:checkRoleForGroupOnProject	-	-
Granting Specified Permissions to a User Group for All Projects	PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects	iam:permissions:grantRoleToGroup	-	-
Querying the Permissions Granted to a User for a Specified Project	×	iam:permissions:listRolesForUserOnProject	-	-
Querying All Permissions of a User Group	×	iam:permissions:listRolesForGroup	-	-
Checking Whether a User Group Has Specified Permissions	×	iam:permissions:checkRoleForGroup	-	-
Removing Permissions of a User Group	×	iam:permissions:revokeRoleFromGroup	-	-
Query Permission Assignment Records	×	iam:permissions:listRoleAssignments	-	-

Custom Policy Management

Permission	API	Action	IAM Project	Enterprise Project
Listing Custom Policies	GET /v3.0/OS-ROLE/roles	iam:roles:listRoles	-	-
Querying Custom Policy Details	GET /v3.0/OS-ROLE/roles/{role_id}	iam:roles:getRole	-	-
Creating a Custom Policy for Cloud Services	POST /v3.0/OS-ROLE/roles	iam:roles:createRole	-	-
Modifying a Custom Policy for Cloud Services	PATCH /v3.0/OS-ROLE/roles/{role_id}	iam:roles:updateRole	-	-
Deleting a Custom Policy	DELETE /v3.0/OS-ROLE/roles/{role_id}	iam:roles:deleteRole	-	-

Agency Management

Permission	API	Action	IAM Project	Enterprise Project
Creating an Agency	POST /v3.0/OS-AGENCY/agencies	iam:agencies:createAgency	-	-
Listing Agencies	GET /v3.0/OS-AGENCY/agencies	iam:agencies:listAgencies	-	-
Querying Agency Details	GET /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:getAgency	-	-
Modifying an Agency	PUT /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:updateAgency	-	-
Deleting an Agency	DELETE /v3.0/OS-AGENCY/agencies/{agency_id}	iam:agencies:deleteAgency	-	-
Granting Permissions to an Agency for a Region-specific Project	PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:grantRoleToAgencyOnProject	-	-
Checking Whether an Agency Has Specified Permissions for a Region-specific Project	HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:checkRoleForAgencyOnProject	-	-
Querying Permissions of an Agency for a Region-specific Project	GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles	iam:permissions:listRolesForAgencyOnProject	-	-
Removing Permissions of an Agency for a Region-specific Project	DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:revokeRoleFromAgencyOnProject	-	-
Granting Permissions to an Agency for the Global Service Project	PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:grantRoleToAgencyOnDomain	-	-
Checking Whether an Agency Has Specified Permissions for the Global Service Project	HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:checkRoleForAgencyOnDomain	-	-
Querying Permissions of an Agency for the Global Service Project	GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles	iam:permissions:listRolesForAgencyOnDomain	-	-
Removing Permissions of an Agency for the Global Service Project	DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}	iam:permissions:revokeRoleFromAgencyOnDomain	-	-
Querying All Permissions of an Agency	GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects	iam:permissions:listRolesForAgency	-	-
Checking Whether an Agency Has Specified Permissions	HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:permissions:checkRoleForAgency	-	-
Granting Specified Permissions to an Agency	PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:permissions:grantRoleToAgency	-	-
Removing Permissions of an Agency	DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects	iam:permissions:revokeRoleFromAgency	-	-

Enterprise Project Management

Permission	API	Action	IAM Project (Project)	Enterprise Project (Enterprise Project)
Querying User Groups Associated with an Enterprise Project	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups	iam:permissions:listGroupsOnEnterpriseProject	-	√
Querying the Permissions of a User Group Associated with an Enterprise Project	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles	iam:permissions:listRolesForGroupOnEnterpriseProject	-	√
Granting Permissions to a User Group Associated with an Enterprise Project	PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:grantRoleToGroupOnEnterpriseProject	-	√
Deleting the Permissions of a User Group Associated with an Enterprise Project	DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}	iam:permissions:revokeRoleFromGroupOnEnterpriseProject	-	√
Listing Users Associated with an Enterprise Project	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users	iam:permissions:listUsersForEnterpriseProject	-	√
Listing Roles of a User Associated with an Enterprise Project	GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles	iam:permissions:listRolesForUserOnEnterpriseProject	-	√
Granting Permissions to a User Associated with an Enterprise Project	PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}	iam:permissions:grantRoleToUserOnEnterpriseProject	-	√
Deleting Roles of a User Associated with an Enterprise Project	DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}	iam:permissions:revokeRoleFromUserOnEnterpriseProject	-	√

Security Settings

Permission	API	Action	IAM Project (Project)	Enterprise Project (Enterprise Project)
Modifying the Operation Protection Policy	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy	iam:securitypolicies:updateProtectPolicy	-	-
Querying the Operation Protection Policy	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy	iam:securitypolicies:getProtectPolicy	-	-
Modifying the Password Policy	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy	iam:securitypolicies:updatePasswordPolicy	-	-
Querying the Password Policy	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy	iam:securitypolicies:getPasswordPolicy	-	-
Modifying the Login Authentication Policy	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy	iam:securitypolicies:updateLoginPolicy	-	-
Querying the Login Authentication Policy	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy	iam:securitypolicies:getLoginPolicy	-	-
Modifying the ACL for Console Access	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy	iam:securitypolicies:updateConsoleAclPolicy	-	-
Querying the ACL for Console Access	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy	iam:securitypolicies:getConsoleAclPolicy	-	-
Modifying the ACL for API Access	PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy	iam:securitypolicies:updateApiAclPolicy	-	-
Querying the ACL for API Access	GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy	iam:securitypolicies:getApiAclPolicy	-	-

Federated Identity Authentication Management

Permission	API	Action	IAM Project	Enterprise Project
Listing Identity Providers	GET /v3/OS-FEDERATION/identity_providers	iam:identityProviders:listIdentityProviders	-	-
Querying Identity Provider Details	GET /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:getIdentityProvider	-	-
Creating a SAML Identity Provider	PUT /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:createIdentityProvider	-	-
Modifying a SAML Identity Provider	PATCH /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:updateIdentityProvider	-	-
Deleting a SAML Identity Provider	DELETE /v3/OS-FEDERATION/identity_providers/{id}	iam:identityProviders:deleteIdentityProvider	-	-
Creating an OpenID Connect Identity Provider	POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:createOpenIDConnectConfig	-	-
Modifying an OpenID Connect Identity Provider	PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:updateOpenIDConnectConfig	-	-
Querying Details About an OpenID Connect Identity Provider	GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config	iam:identityProviders:getOpenIDConnectConfig	-	-
Listing Mappings	GET /v3/OS-FEDERATION/mappings	iam:identityProviders:listMappings	-	-
Querying Mapping Details	GET /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:getMapping	-	-
Registering a Mapping	PUT /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:createMapping	-	-
Updating a Mapping	PATCH /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:updateMapping	-	-
Deleting a Mapping	DELETE /v3/OS-FEDERATION/mappings/{id}	iam:identityProviders:deleteMapping	-	-
Listing Protocols	GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols	iam:identityProviders:listProtocols	-	-
Querying Protocol Details	GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:getProtocol	-	-
Registering a Protocol	PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:createProtocol	-	-
Updating a Protocol	PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:updateProtocol	-	-
Deleting a Protocol	DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}	iam:identityProviders:deleteProtocol	-	-
Querying a Metadata File	GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata	iam:identityProviders:getIDPMetadata	-	-
Importing a Metadata File	POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata	iam:identityProviders:createIDPMetadata	-	-

Parent topic: Permissions and Actions

Last Article: Permissions and Supported Actions

Next Article: Appendix

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English