Help Center/Identity and Access Management/API Reference/API/Enterprise Project Management/Querying the Permissions of a User Group Associated with an Enterprise Project
Updated on 2025-12-27 GMT+08:00
View PDF

Querying the Permissions of a User Group Associated with an Enterprise Project

Function

This API is used to query the permissions of a user group directly associated with a specified enterprise project.

The API can be called using both the global endpoint and region-specific endpoints.

Authorization Information

Each account is authorized to call all APIs, but its IAM users must obtain the required permissions. For details, see Permissions and Supported Actions.

URI

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

Table 1 URI parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

Yes

String

ID of the enterprise project for querying the permissions of an associated user group.

group_id

Yes

String

User group ID.

Request Parameters

Table 2 Parameters in the request header

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

Authenticated token with iam:permissions:listRolesForGroupOnEnterpriseProject or Security Administrator permissions. The domain_id of the account which the group_id belongs to must be the same as the domain_id in the token.

Response Parameters

Status code: 200

Table 3 Parameters in the response body

Parameter

Type

Description

roles

Array of objects

Role list.

Table 4 roles

Parameter

Type

Description

catalog

String

Service catalog of the permission.

display_name

String

Display name of the permission.

description

String

Description of the permission in English.

description_cn

String

Description of the permission in Chinese.

domain_id

String

ID of the account which the permission belongs to.

flag

String

If this parameter is set to fine_grained, the permission is a system-defined policy.

id

String

Permission ID.

name

String

Permission name.

policy

object

Content of the permission.

type

String

Display mode of the permission.

NOTE:
  • AX: Account level.
  • XA: Project level.
  • AA: Both the account level and project level.
  • XX: Neither the account level nor project level.
  • The display mode of a custom policy can only be AX or XA. A custom policy must be displayed at either of the two levels.
Table 5 roles.policy

Parameter

Type

Description

Depends

Array of objects

Dependent permissions.

Statement

Array of objects

Statement of the permission.

Version

String

Policy version.

NOTE:
  • 1.0: System-defined role. Only a limited number of service-level roles are provided for authorization.
  • 1.1: Policy. A policy defines the permissions required to perform operations on a specific cloud resource under certain conditions.
Table 6 roles.policy.Depends

Parameter

Type

Description

catalog

String

Service catalog of the permission.

display_name

String

Display name of the permission.

Table 7 roles.policy.Statement

Parameter

Type

Description

Action

Array of strings

Specific operation permissions on a resource. For details about supported actions, see "Permissions and Supported Actions" in the API Reference of cloud services.

NOTE:
  • The value format is Service name:Resource type:Operation, for example, vpc:ports:create.
  • Service name: indicates the product name, such as ecs, evs, or vpc. Only lowercase letters are allowed. Resource types and operations are not case-sensitive. You can use an asterisk (*) to represent all operations.
  • In the case of a custom policy for agencies, this parameter value should be "Action": ["iam:tokens:assume"].

Effect

String

Effect of the permission. The value can be Allow or Deny. If both Allow and Deny statements are found in a policy, the authentication starts from the Deny statements.

Enumerated values:

  • Allow
  • Deny

Condition

Object

Conditions for the permission to take effect. For details about the condition parameters, see Creating a Custom Policy.

NOTE:

Take the condition in the sample request as an example, the values of the condition key (obs:prefix) and string (public) must be equal (StringEquals).

 "Condition": {
              "StringEquals": {
                "obs:prefix": [
                  "public"
                ]
              }
            }

Resource

Object

Cloud resource.

NOTE:
  • Format: ::::. For example, obs:::bucket:*. Asterisks are allowed.
  • The region segment can be * or a region accessible to the user. The specified resource must belong to the corresponding service that actually exists.
  • In the case of a custom policy for agencies, the type of this parameter is Object, and the value should be "Resource": {"uri": ["/iam/agencies/agencyTest"]}.

Example Request

Request for querying the permissions of a user group associated with an enterprise project

GET  https://iam.myhuaweicloud.eu/v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

Example Response

Status code: 200

The request is successful.

{ 
  "roles" : [ { 
    "catalog" : "CUSTOMED", 
    "description" : "u81eau5b9au4e49u6743u9...", 
    "description_cn" : null, 
    "display_name" : "XpBdkPYCCx", 
    "domain_id" : "0456fd5a278033120f37c006683ab...", 
    "flag" : null, 
    "id" : "5d1b6256331f4fb494534bf240698...", 
    "name" : "custom_policy1", 
    "policy" : { 
      "Statement" : [ { 
        "Action" : [ "aaa:a*b:baa*" ], 
        "Condition" : null, 
        "Effect" : "deny", 
        "Resource" : null 
      }, { 
        "Action" : [ "aaa:a*b:bab*" ], 
        "Condition" : null, 
        "Effect" : "Allow", 
        "Resource" : null 
      } ], 
      "Version" : "1.1" 
    }, 
    "type" : "XA" 
  } ] 
}

Status Codes

Status Code

Description

200

The request is successful.

400

Parameter error.

401

Authentication failed.

403

Access denied.

404

The requested resource cannot be found.

415

Incorrect Content-Type.

500

A system error occurred.

Error Codes

For details, see Error Codes.