Querying Permissions Assignment Records
Function
This API is used to query permissions assignment records of a specified account.
The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.
Debugging
You can debug this API in API Explorer.
URI
GET /v3.0/OS-PERMISSION/role-assignments
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
domain_id |
Yes |
String |
Account ID. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
role_id |
No |
String |
Policy ID. |
|
subject |
No |
String |
Principal. The value can be user, group, or agency. This parameter is exclusive with subject.user_id, subject.group_id, and subject.agency_id. |
|
subject.user_id |
No |
String |
ID of the IAM user. For details about how to obtain the ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
subject.group_id |
No |
String |
ID of the user group. For details about how to obtain the ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
subject.agency_id |
No |
String |
Agency ID. For details about how to obtain the agency ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
scope |
No |
String |
Authorization scope. The value can be project, domain, or enterprise_project. This parameter is mutually exclusive with scope.project_id, scope.domain_id, and scope.enterprise_projects_id.
NOTE:
|
|
scope.project_id |
No |
String |
Project ID. For details about how to obtain the project ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
scope.domain_id |
No |
String |
Account ID. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information. |
|
scope.enterprise_projects_id |
No |
String |
ID of the authorized enterprise project. For details about how to obtain the ID, see How Do I Obtain an Enterprise Project ID? |
|
is_inherited |
No |
Boolean |
Whether to include all project-based authorization records. The default value is false. This parameter is valid only when scope is set to domain or scope.domain_id is specified. true: Query all project-based authorization records. false: Query global service authorization records. |
|
include_group |
No |
Boolean |
Whether to include user group-based authorization records. The default value is true. This parameter is valid only when subject is set to user or subject.user_id is specified. true: Query authorization records of IAM users and user groups which the IAM users belong to. false: Only query authorization records of IAM users. |
|
page |
No |
Integer |
Page number for pagination query. The minimum value is 1. This parameter must be used together with per_page. |
|
per_page |
No |
Integer |
Number of data records to be displayed on each page during pagination query. The value ranges from 1 to 50. This parameter must be specified together with page. |
Request Parameters
|
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
|
X-Auth-Token |
Yes |
String |
Access token issued to a user to bear its identity and permissions. For details about the permissions required by the token, see Permissions Management. |
Response Parameters
|
Parameter |
Type |
Description |
|---|---|---|
|
total_num |
Long |
Total number of returned authorization records. |
|
Array of RoleAssignmentBody objects |
Authorization information. |
|
Parameter |
Type |
Description |
|---|---|---|
|
RoleUserAssignmentId object |
Authorized user. This parameter is only returned when the principal (subject) is set to user. |
|
|
RoleAssignmentId object |
Authorization policy. |
|
|
RoleGroupAssignmentId object |
Authorized user group. This parameter is only returned when the principal (subject) is set to group. |
|
|
RoleAgencyAssignmentId object |
Authorization agency. This parameter is only returned when the principal (subject) is set to agency. |
|
|
RoleAssignmentScope object |
Authorization scope. |
|
|
is_inherited |
Boolean |
Whether the authorization is based on all projects. |
|
Parameter |
Type |
Description |
|---|---|---|
|
RoleProjectAssignmentId object |
IAM project-based authorization. This parameter is only returned when the authorization scope (scope) is set to project. |
|
|
RoleDomainAssignmentId object |
Authorization based on global services or all projects. This parameter is only returned when the authorization scope (scope) is set to domain. |
|
|
RoleEnterpriseProjectAssignmentId object |
Enterprise project-based authorization. This parameter is only returned when the authorization scope (scope) is set to enterprise_project. |
Example Request
Request for querying permissions assignment records
GET https://iam.myhuaweicloud.com/v3.0/OS-PERMISSION/role-assignments?{domain_id}
Example Response
Status code: 200
{
"role_assignments":{
"group":{
"id":"07609e7eb200250a3f7dc003cb7a4e2d"
},
"is_inherited":true,
"role":{
"id":"11e5c42d20cc349a2b9e2f8afd253f50c"
},
"scope":{
"domain":{
"id":"d78cbac186b744899480f25bd022f468"
}
}
},
"total_num":1
}
Status Codes
|
Status Code |
Description |
|---|---|
|
200 |
The request is successful. |
|
400 |
Invalid parameters. |
|
401 |
Authentication failed. |
|
403 |
Access denied. |
Error Codes
For details, see Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
