Updated on 2023-09-14 GMT+08:00

Querying Permission Details

Function

This API is provided for the administrator to query permission details.

The API can be called using both the global endpoint and region-specific endpoints.

URI

GET /v3/roles/{role_id}

Table 1 URI parameters

Parameter

Mandatory

Type

Description

role_id

Yes

String

Permission ID. For details about how to obtain a permission ID, see Listing Permissions.

Request Parameters

Table 2 Parameters in the request header

Parameter

Mandatory

Type

Description

Content-Type

Yes

String

Fill application/json;charset=utf8 in this field.

X-Auth-Token

Yes

String

Access token issued to a user to bear its identity and permissions.

For details about the permissions required by the token, see Actions.

Response Parameters

Table 3 Parameters in the response body

Parameter

Type

Description

role

Object

Permission information.

Table 4 role

Parameter

Type

Description

domain_id

String

ID of the account to which the permission belongs.

flag

String

If this parameter is set to fine_grained, the permission is a system-defined policy.

description_cn

String

Description of the permission in Chinese.

catalog

String

Service catalog of the permission.

name

String

Permission name for internal use. For example, ccs_user is the internal name of the CCS User role for CCS.

This parameter is carried in the token of a user, allowing the system to determine whether the user has permissions to access a specific cloud service.

description

String

Description of the permission.

links

Object

Permission resource link.

id

String

Permission ID.

display_name

String

Permission name.

type

String

Display mode of the permission.

NOTE:
  • AX: Account level.
  • XA: Project level.
  • AA: Both the account level and project level.
  • XX: Neither the account level nor project level.
  • The display mode of a custom policy can only be AX or XA. A custom policy must be displayed at either of the two levels.

policy

Object

Content of the permission.

updated_time

String

Time when the permission was last updated.

NOTE:

The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.

created_time

String

Time when the permission was created.

NOTE:

The value is a UTC time in the YYYY-MM-DDTHH:mm:ss.ssssssZ format, for example, 2023-06-28T08:56:33.710000Z. For details about the date and timestamp formats, see ISO-8601.

Table 6 role.policy

Parameter

Type

Description

Depends

Array of objects

Dependent permissions.

Statement

Array of objects

Statement of the permission.

Version

String

Policy version.

NOTE:
  • 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization.
  • 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.
Table 7 role.policy.Depends

Parameter

Type

Description

catalog

String

Service catalog of the permission.

display_name

String

Display name of the permission.

Table 8 role.policy.Statement

Parameter

Type

Description

Action

Array of strings

Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.

NOTE:
  • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
  • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
  • In the case of a custom policy for agencies, this parameter should be set to "Action": ["iam:agencies:assume"].

Effect

String

Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements.

Options:

  • Allow
  • Deny

Condition

Object

Conditions for the permission to take effect. For details, see Creating a Custom Policy.

NOTE:

Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals).

 "Condition": {
              "StringEquals": {
                "obs:prefix": [
                  "public"
                ]
              }
            }

Resource

Array of strings

Cloud resource.

NOTE:
  • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
  • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
  • In the case of a custom policy for agencies, the type of this parameter is Object, and the value should be set to "Resource": {"uri": ["/iam/agencies/07805acaba800fdd4fbdc00b8f888c7c"]}.

Example Request

Request for querying permission details

GET  https://iam.myhuaweicloud.eu/v3/roles/{role_id}

Example Response

Status code: 200

The request is successful.

{
    "role": {
        "domain_id": null,
        "description_cn": "Description of the permission in Chinese",
        "catalog": "VulnScan",
        "name": "wscn_adm",
        "description": "Vulnerability Scan Service administrator of tasks and reports.",
        "links": {
            "next": null,
            "previous": null,
            "self": "https://iam.myhuaweicloud.eu/v3/roles/0af84c1502f447fa9c2fa18083fbb87e"
        },
        "id": "0af84c1502f447fa9c2fa18083fbb87e",
        "display_name": "VSS Administrator",
        "type": "XA",
        "policy": {
            "Version": "1.0",
            "Statement": [
                {
                    "Action": [
                        "WebScan:*:*"
                    ],
                    "Effect": "Allow"
                }
            ],
            "Depends": [
                {
                    "catalog": "BASE",
                    "display_name": "Server Administrator"
                },
                {
                    "catalog": "BASE",
                    "display_name": "Tenant Guest"
                }
            ]
        }
    }
}

Status Codes

Status Code

Description

200

The request is successful.

400

Invalid parameters.

401

Authentication failed.

403

Access denied.

404

The requested resource cannot be found.

Error Codes

None