Help Center/ Identity and Access Management/ API Reference/ Out-of-Date APIs/ Querying the Permissions of a User Group Associated with an Enterprise Project
Updated on 2022-09-21 GMT+08:00

Querying the Permissions of a User Group Associated with an Enterprise Project

Function

This API is used to query the permissions of a user group associated with the enterprise project of a specified ID.

This API can be invoked using the global domain name iam.myhuaweicloud.eu.

This API will be deprecated soon. Please use the API described in Querying the Permissions of a User Group Associated with an Enterprise Project instead.

URI

  • URI format

    GET /v3.0/OS-PAP/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

  • URI parameter description

    Parameter

    Mandatory

    Type

    Description

    enterprise_project_id

    Yes

    String

    ID of the enterprise project for querying the permissions of an associated user group.

    group_id

    Yes

    String

    ID of a user group associated with the enterprise project.

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    X-Auth-Token

    Yes

    String

    Authenticated token with Security Administrator permissions.

    Content-Type

    Yes

    String

    Fill application/json;charset=utf8 in this field.

  • Sample request
    curl -i -k -H "X-Auth-Token:$token" -H 'Content-Type:application/json;charset=utf8' -X GET https://iam.myhuaweicloud.eu/v3.0/OS-PAP/enterprise-projects/535fb147-6148-4c71-a679-b79a2cb0e.../groups/10d8104f395d43468094753f28692.../roles

Response

  • Response body parameter description

    Parameter

    Mandatory

    Type

    Description

    roles

    Yes

    JSONArray

    Permission information.

  • Description for the role format

    Parameter

    Mandatory

    Type

    Description

    display_name

    Yes

    String

    Name of a permission displayed on the console.

    description

    Yes

    String

    Description of the permission.

    description_cn

    Yes

    String

    Description of the permission.

    domain_id

    Yes

    String

    • If a custom policy has been bound to the user group, the value of this parameter is the account ID of the user that creates the custom policy.
    • If a default policy has been bound to the user group, the value of this parameter is null.

    flag

    No

    String

    A tag for indicating an internal fine-grained role.

    catalog

    Yes

    String

    Directory to which the permission belongs.

    • If a custom policy has been bound to the user group, the value of this parameter is CUSTOMED.
    • If a default policy has been bound to the user group, the value of this parameter is the corresponding service name, for example, ECS.

    policy

    Yes

    Dict

    Details about the permission. For more information, see Description for the policy format.

    id

    Yes

    String

    Permission ID.

    type

    Yes

    String

    Display position of the permission.

    • AX: Displayed in the Global project.
    • XA: Displayed in projects other than the Global project.
      NOTE:

      The value of this parameter can only be AX or XA, and cannot be AA or XX.

    name

    Yes

    String

    Name of the permission used in the system.

  • Description for the policy format

    Parameter

    Mandatory

    Type

    Description

    Version

    Yes

    String

    Policy version.

    Statement

    Yes

    JSONArray

    Statement for using the policy to grant permissions. A policy consists of a maximum of eight statements. A Statement field contains the Effect and Action elements.

  • Description for the statement format

    Parameter

    Mandatory

    Type

    Description

    Effect

    Yes

    String

    The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements.

    Action

    Yes

    StringArray

    Permission set, which specifies the operation permissions on resources. The number of permission sets cannot exceed 100.

    Format:

    The value format is Service name:Resource type:Action, for example, vpc:ports:create.

    Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed.

    Resource type and Action: The values are case-insensitive, and the wildcard (*) is allowed. A wildcard (*) can represent all or part of the information about resource types and actions for the specific service.

  • Example successful response
    { 
       "roles": [ 
         { 
           "display_name": "Customed ECS Viewer", 
           "description": "The read-only permissions to all ECS resources, which can be used for statistics and survey.", 
           "domain_id": "9698542758bc422088c0c3eabf...", 
           "catalog": "CUSTOMED", 
           "policy": { 
             "Version": "1.1", 
             "Statement": [ 
               { 
                 "Action": [ 
                   "ecs:*:get*", 
                   "ecs:*:list*", 
                   "ecs:blockDevice:use", 
                   "ecs:serverGroups:manage", 
                   "ecs:serverVolumes:use", 
                   "evs:*:get*", 
                   "evs:*:list*", 
                   "vpc:*:get*", 
                   "vpc:*:list*", 
                   "ims:*:get*", 
                   "ims:*:list*" 
                 ], 
                 "Effect": "Allow" 
               } 
             ] 
           }, 
           "id": "24e7a89bffe443979760c4e9715c1...", 
           "type": "XA", 
           "name": "custom_9698542758bc422088c0c3eabfc30d1..." 
         } 
       ] 
     }
  • Error response body parameter description

    Parameter

    Mandatory

    Type

    Description

    error

    Yes

    Dict

    Response error

    message

    Yes

    String

    Error details

    code

    Yes

    Int

    Status code

    title

    Yes

    String

    Error type

  • Example failed response
    {
      "error": {
        "message": "Authentication failed",
        "code": 401,
        "title": "Unauthorized"
      }
    }

Status Codes

Status Code

Description

200

The request is successful.

400

The server failed to process the request.

401

You must enter a username and password to access the requested page.

403

Access denied.

500

Failed to complete the request because of an internal service error.