Help Center/Identity and Access Management/API Reference/Permissions and Actions/Actions
Updated on 2025-12-27 GMT+08:00
View PDF

Actions

Token Management

Permission

API

Action

IAM Project

Enterprise Project

Obtaining an Agency Token

POST /v3/auth/tokens

iam:tokens:assume

-

-

Access Key Management

Permission

API

Action

IAM Project

Enterprise Project

Obtaining Temporary Access Keys and Security Tokens of an Agency

POST /v3.0/OS-CREDENTIAL/securitytokens

iam:tokens:assume

  

  

Listing Permanent Access Keys

GET /v3.0/OS-CREDENTIAL/credentials

iam:credentials:listCredentials

-

-

Querying a Permanent Access Key

GET /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:getCredential

-

-

Creating a Permanent Access Key

POST /v3.0/OS-CREDENTIAL/credentials

iam:credentials:createCredential

-

-

Modifying a Permanent Access Key

PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:updateCredential

-

-

Deleting a Permanent Access Key

DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:deleteCredential

-

-

Virtual MFA Device Management

Permission

API

Action

IAM Project

Enterprise Project

Binding a Virtual MFA Device

PUT /v3.0/OS-MFA/mfa-devices/bind

iam:mfa:bindMFADevice

-

-

Unbinding a Virtual MFA Device

PUT /v3.0/OS-MFA/mfa-devices/unbind

iam:mfa:unbindMFADevice

-

-

Generating a Secret Key for Binding a Virtual MFA Device

POST /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:createVirtualMFADevice

-

-

Deleting a Virtual MFA Device

DELETE /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:deleteVirtualMFADevice

-

-

Project Management

Permission

API

Action

IAM Project

Enterprise Project

Listing Projects

GET /v3/projects

iam:projects:listProjects

-

-

Creating a Project

POST /v3/projects

iam:projects:createProject

-

-

Modifying Project Information

PATCH /v3/projects/{project_id}

iam:projects:updateProject

-

-

Changing Project Status

PUT /v3-ext/projects/{project_id}

iam:projects:updateProject

-

-

Listing the Projects Accessible to a User

GET /v3/users/{user_id}/projects

iam:projects:listProjectsForUser

-

-

Deleting a Project

×

iam:projects:deleteProject

-

-

Querying the Quotas of a Project

GET /v3.0/OS-QUOTA/projects/{project_id}

iam:quotas:listQuotasForProject

-

-

Account Management

Permission

API

Action

IAM Project

(Project)

Enterprise Project

(Enterprise Project)

Querying the Quotas of an Account

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:listQuotas

-

-

IAM User Management

Permission

API

Action

IAM Project

Enterprise Project

Listing IAM Users

GET /v3/users

iam:users:listUsers

-

-

Creating an IAM User

POST /v3/users

iam:users:createUser

-

-

Modifying User Information

PATCH /v3/users/{user_id}

iam:users:updateUser

-

-

Deleting an IAM User

DELETE /v3/users/{user_id}

iam:users:deleteUser

-

-

Creating an IAM User (Recommended)

POST /v3.0/OS-USER/users

iam:users:createUser

-

-

Querying IAM User Details (Including Email Address and Mobile Number)

GET /v3.0/OS-USER/users/{user_id}

iam:users:getUser

-

-

Querying IAM User Details

GET /v3/users/{user_id}

iam:users:getUser

-

-

Resetting an IAM User's Password

×

iam:users:resetUserPassword

-

-

Configuring Login Protection

×

iam:users:setUserLoginProtect

-

-

Listing Users Who Have Access to a Specified Project

×

iam:users:listUsersForProject

-

-

Querying MFA Device Information of IAM Users

GET /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:listVirtualMFADevices

-

-

Querying the MFA Device Information of an IAM User

GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device

iam:mfa:getVirtualMFADevice

-

-

Querying Login Protection Configurations of IAM Users

GET /v3.0/OS-USER/login-protects

iam:users:listUserLoginProtects

-

-

Querying the Login Protection Configuration of an IAM User

GET /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:getUserLoginProtect

-

-

User Group Management

Permission

API

Action

IAM Project

Enterprise Project

Querying the User Groups Which an IAM User Belongs to

GET /v3/users/{user_id}/groups

iam:groups:listGroupsForUser

-

-

Querying the IAM Users in a Group

GET /v3/groups/{group_id}/users

iam:users:listUsersForGroup

-

-

Listing User Groups

GET /v3/groups

iam:groups:listGroups

-

-

Querying User Group Details

GET /v3/groups/{group_id}

iam:groups:getGroup

-

-

Creating a User Group

POST /v3/groups

iam:groups:createGroup

-

-

Updating User Group Information

PATCH /v3/groups/{group_id}

iam:groups:updateGroup

-

-

Deleting a User Group

DELETE /v3/groups/{group_id}

iam:groups:deleteGroup

iam:permissions:removeUserFromGroup

iam:permissions:revokeRoleFromGroup

iam:permissions:revokeRoleFromGroupOnProject

iam:permissions:revokeRoleFromGroupOnDomain

-

-

Checking Whether an IAM User Belongs to a User Group

HEAD /v3/groups/{group_id}/users/{user_id}

iam:permissions:checkUserInGroup

-

-

Adding an IAM User to a User Group

PUT /v3/groups/{group_id}/users/{user_id}

iam:permissions:addUserToGroup

-

-

Removing an IAM User from a User Group

DELETE /v3/groups/{group_id}/users/{user_id}

iam:permissions:removeUserFromGroup

-

-

Permissions Management

Permission

API

Action

IAM Project

Enterprise Project

Listing Permissions

GET /v3/roles

iam:roles:listRoles

-

-

Querying Permission Details

GET /v3/roles/{role_id}

iam:roles:getRole

-

-

Querying Permissions of a User Group for the Global Service Project

GET /v3/domains/{domain_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnDomain

-

-

Querying Permissions of a User Group for a Region-specific Project

GET /v3/projects/{project_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnProject

-

-

Granting Permissions to a User Group for the Global Service Project

PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnDomain

-

-

Granting Permissions to a User Group for a Region-specific Project

PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnProject

-

-

Removing Permissions of a User Group for a Region-specific Project

DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnProject

-

-

Removing Permissions of a User Group for the Global Service Project

DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnDomain

-

-

Checking Whether a User Group Has Specified Permissions for the Global Service Project

HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:checkRoleForGroupOnDomain

-

-

Checking Whether a User Group Has Specified Permissions for a Region-specific Project

HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:checkRoleForGroupOnProject

-

-

Granting Specified Permissions to a User Group for All Projects

PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:permissions:grantRoleToGroup

-

-

Querying the Permissions Granted to a User for a Specified Project

×

iam:permissions:listRolesForUserOnProject

-

-

Querying All Permissions of a User Group

×

iam:permissions:listRolesForGroup

-

-

Checking Whether a User Group Has Specified Permissions

×

iam:permissions:checkRoleForGroup

-

-

Removing Permissions of a User Group

×

iam:permissions:revokeRoleFromGroup

-

-

Querying Permission Assignment Records

×

iam:permissions:listRoleAssignments

-

-

Custom Policy Management

Permission

API

Action

IAM Project

Enterprise Project

Listing Custom Policies

GET /v3.0/OS-ROLE/roles

iam:roles:listRoles

-

-

Querying Custom Policy Details

GET /v3.0/OS-ROLE/roles/{role_id}

iam:roles:getRole

-

-

Creating a Custom Policy for Cloud Services

POST /v3.0/OS-ROLE/roles

iam:roles:createRole

-

-

Modifying a Custom Policy for Cloud Services

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:updateRole

-

-

Deleting a Custom Policy

DELETE /v3.0/OS-ROLE/roles/{role_id}

iam:roles:deleteRole

-

-

Agency Management

Permission

API

Action

IAM Project

Enterprise Project

Creating an Agency

POST /v3.0/OS-AGENCY/agencies

iam:agencies:createAgency

-

-

Listing Agencies

GET /v3.0/OS-AGENCY/agencies

iam:agencies:listAgencies

-

-

Querying Agency Details

GET /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:getAgency

-

-

Modifying an Agency

PUT /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:updateAgency

-

-

Deleting an Agency

DELETE /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:deleteAgency

-

-

Granting Permissions to an Agency for a Region-specific Project

PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:grantRoleToAgencyOnProject

-

-

Checking Whether an Agency Has Specified Permissions for a Region-specific Project

HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:checkRoleForAgencyOnProject

-

-

Querying Permissions of an Agency for a Region-specific Project

GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles

iam:permissions:listRolesForAgencyOnProject

-

-

Removing Permissions of an Agency for a Region-specific Project

DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:revokeRoleFromAgencyOnProject

-

-

Granting Permissions to an Agency for the Global Service Project

PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:grantRoleToAgencyOnDomain

-

-

Checking Whether an Agency Has Specified Permissions for the Global Service Project

HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:checkRoleForAgencyOnDomain

-

-

Querying Permissions of an Agency for the Global Service Project

GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles

iam:permissions:listRolesForAgencyOnDomain

-

-

Removing Permissions of an Agency for the Global Service Project

DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:revokeRoleFromAgencyOnDomain

-

-

Querying All Permissions of an Agency

GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects

iam:permissions:listRolesForAgency

-

-

Checking Whether an Agency Has Specified Permissions

HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:permissions:checkRoleForAgency

-

-

Granting Specified Permissions to an Agency

PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:permissions:grantRoleToAgency

-

-

Removing Permissions of an Agency

DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:permissions:revokeRoleFromAgency

-

-

Enterprise Project Management

Permission

API

Action

IAM Project

(Project)

Enterprise Project

(Enterprise Project)

Querying User Groups Associated with an Enterprise Project

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups

iam:permissions:listGroupsOnEnterpriseProject

-

Querying the Permissions of a User Group Associated with an Enterprise Project

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnEnterpriseProject

-

Granting Permissions to a User Group Associated with an Enterprise Project

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnEnterpriseProject

-

Deleting the Permissions of a User Group Associated with an Enterprise Project

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnEnterpriseProject

-

Querying Enterprise Projects Associated with a User Group

GET /v3.0/OS-PERMISSION/groups/{group_id}/enterprise-projects

iam:permissions:listEnterpriseProjectsForGroup

-

Querying Enterprise Projects Directly Associated with a User

GET /v3.0/OS-PERMISSION/users/{user_id}/enterprise-projects

iam:permissions:listEnterpriseProjectsForUser

-

Listing Users Associated with an Enterprise Project

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users

iam:permissions:listUsersForEnterpriseProject

-

Listing Roles of a User Associated with an Enterprise Project

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles

iam:permissions:listRolesForUserOnEnterpriseProject

-

Granting Permissions to a User Associated with an Enterprise Project

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:permissions:grantRoleToUserOnEnterpriseProject

-

Deleting Roles of a User Associated with an Enterprise Project

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:permissions:revokeRoleFromUserOnEnterpriseProject

-

Security Settings

Permission

API

Action

IAM Project

(Project)

Enterprise Project

(Enterprise Project)

Modifying the Operation Protection Policy

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securitypolicies:updateProtectPolicy

-

-

Querying the Operation Protection Policy

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securitypolicies:getProtectPolicy

-

-

Modifying the Password Policy

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securitypolicies:updatePasswordPolicy

-

-

Querying the Password Policy

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securitypolicies:getPasswordPolicy

-

-

Modifying the Login Authentication Policy

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securitypolicies:updateLoginPolicy

-

-

Querying the Login Authentication Policy

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securitypolicies:getLoginPolicy

-

-

Modifying the ACL for Console Access

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securitypolicies:updateConsoleAclPolicy

-

-

Querying the ACL for Console Access

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securitypolicies:getConsoleAclPolicy

-

-

Modifying the ACL for API Access

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securitypolicies:updateApiAclPolicy

-

-

Querying the ACL for API Access

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securitypolicies:getApiAclPolicy

-

-

Federated Identity Authentication Management

Permission

API

Action

IAM Project

Enterprise Project

Listing Identity Providers

GET /v3/OS-FEDERATION/identity_providers

iam:identityProviders:listIdentityProviders

-

-

Querying Identity Provider Details

GET /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:getIdentityProvider

-

-

Creating a SAML Identity Provider

PUT /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:createIdentityProvider

-

-

Modifying a SAML Identity Provider

PATCH /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:updateIdentityProvider

-

-

Deleting a SAML Identity Provider

DELETE /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:deleteIdentityProvider

-

-

Creating an OpenID Connect Identity Provider

POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:createOpenIDConnectConfig

-

-

Modifying an OpenID Connect Identity Provider

PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:updateOpenIDConnectConfig

-

-

Querying Details About an OpenID Connect Identity Provider

GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:getOpenIDConnectConfig

-

-

Listing Mappings

GET /v3/OS-FEDERATION/mappings

iam:identityProviders:listMappings

-

-

Querying Mapping Details

GET /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:getMapping

-

-

Registering a Mapping

PUT /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:createMapping

-

-

Updating a Mapping

PATCH /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:updateMapping

-

-

Deleting a Mapping

DELETE /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:deleteMapping

-

-

Listing Protocols

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

iam:identityProviders:listProtocols

-

-

Querying Protocol Details

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:getProtocol

-

-

Registering a Protocol

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:createProtocol

-

-

Updating a Protocol

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:updateProtocol

-

-

Deleting a Protocol

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:deleteProtocol

-

-

Querying a Metadata File

GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:getIDPMetadata

-

-

Importing a Metadata File

POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:createIDPMetadata

-

-