Querying Permissions Assignment Records

Function

This API is used to query permissions assignment records of a specified account.

The API can be called using both the global endpoint and region-specific endpoints. For IAM endpoints, see Regions and Endpoints.

URI

GET /v3.0/OS-PERMISSION/role-assignments

**Table 1** Query parameters
Parameter	Mandatory	Type	Description
domain_id	Yes	String	Account ID. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
role_id	No	String	Policy ID.
subject	No	String	Principal. The value can be user, group, or agency. This parameter is exclusive with subject.user_id, subject.group_id, and subject.agency_id.
subject.user_id	No	String	ID of the IAM user. For details about how to obtain the ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
subject.group_id	No	String	ID of the user group. For details about how to obtain the ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
subject.agency_id	No	String	Agency ID. For details about how to obtain the agency ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
scope	No	String	Authorization scope. The value can be project, domain, or enterprise_project. This parameter is mutually exclusive with scope.project_id, scope.domain_id, and scope.enterprise_projects_id. NOTE: To view global service authorization records, set this parameter to domain or specify scope.domain_id. To view resource-based authorization records, set this parameter to domain and is_inherited to true. To view project-based authorization records, set this parameter to project or specify scope.project_id. To view enterprise project-based authorization records, set this parameter to enterprise_project or specify scope.enterprise_project_id.
scope.project_id	No	String	Project ID. For details about how to obtain the project ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
scope.domain_id	No	String	Account ID. For details about how to obtain the account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
scope.enterprise_projects_id	No	String	ID of the authorized enterprise project. For details about how to obtain the ID, see How Do I Obtain an Enterprise Project ID?
is_inherited	No	Boolean	Whether to include all project-based authorization records. The default value is false. This parameter is valid only when scope is set to domain or scope.domain_id is specified. true: Query all project-based authorization records. false: Query global service authorization records.
include_group	No	Boolean	Whether to include user group-based authorization records. The default value is true. This parameter is valid only when subject is set to user or subject.user_id is specified. true: Query authorization records of IAM users and user groups to which the IAM users belong. false: Only query authorization records of IAM users.
page	No	String	Page number for pagination query. The minimum value is 1. This parameter must be used together with per_page.
per_page	No	String	Number of data records to be displayed on each page during pagination query. The value ranges from 1 to 50. This parameter must be specified together with page.

Request Parameters

**Table 2** Parameters in the request header
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Access credential issued to a user to bear its identity and permissions. For details about the permissions required by the token, see Permissions Management.

Response Parameters

**Table 3** Parameters in the response body
Parameter	Type	Description
total_num	Long	Total number of returned authorization records.
role_assignments	Array of RoleAssignmentBody objects	Authorization information.

**Table 4** role_assignments
Parameter	Type	Description
user	RoleUserAssignmentId object	Authorized user.
role	RoleAssignmentId object	Authorization policy.
group	RoleGroupAssignmentId object	Authorized user group.
agency	RoleAgencyAssignmentId object	Authorization agency.
scope	RoleAssignmentScope object	Authorization scope.
is_inherited	Boolean	Whether the authorization is based on all projects.

**Table 5** role_assignments.user
Parameter	Type	Description
id	String	IAM user ID.

**Table 6** role_assignments.role
Parameter	Type	Description
id	String	Permission ID.

**Table 7** role_assignments.group
Parameter	Type	Description
id	String	User group ID.

**Table 8** role_assignments.agency
Parameter	Type	Description
id	String	Agency ID.

**Table 9** role_assignments.scope
Parameter	Type	Description
project	RoleProjectAssignmentId object	IAM project-based authorization.
domain	RoleDomainAssignmentId object	Authorization based on global services or all projects.
enterprise_project	RoleEnterpriseProjectAssignmentId object	Enterprise project-based authorization.

**Table 10** role_assignments.scope.project
Parameter	Type	Description
id	String	IAM project ID.

**Table 11** role_assignments.scope.domain
Parameter	Type	Description
id	String	Global service ID.

**Table 12** role_assignments.scope.enterprise_project
Parameter	Type	Description
id	String	Enterprise project ID.

Example Request

Request for querying permissions assignment records

GET  https://iam.myhuaweicloud.com/v3.0/OS-PERMISSION/role-assignments?{domain_id}

Example Response

Status code: 200

The request is successful.

{
    "role_assignments":{
        "group":{
            "id":"07609e7eb200250a3f7dc003cb7a4e2d"
        },
        "is_inherited":true,
        "role":{
            "id":"11e5c42d20cc349a2b9e2f8afd253f50c"
        },
        "scope":{
            "domain":{
                "id":"d78cbac186b744899480f25bd022f468"
            }
        }
    },
    "total_num":1
}