文档首页/ 统一身份认证服务 IAM/ API参考/ 权限及授权项/ 授权项
更新时间:2025-09-24 GMT+08:00
查看PDF
分享

授权项

Token管理

权限

对应API接口

授权项(Action)

IAM项目

(Project)

企业项目

(Enterprise Project)

获取委托Token

POST /v3/auth/tokens

iam:tokens:assume

-

-

访问密钥管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询所有永久访问密钥

GET /v3.0/OS-CREDENTIAL/credentials

iam:credentials:listCredentials

-

-

查询指定永久访问密钥

GET /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:getCredential

-

-

创建永久访问密钥

POST /v3.0/OS-CREDENTIAL/credentials

iam:credentials:createCredential

-

-

修改指定永久访问密钥

PUT /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:updateCredential

-

-

删除指定永久访问密钥

DELETE /v3.0/OS-CREDENTIAL/credentials/{access_key}

iam:credentials:deleteCredential

-

-

虚拟MFA管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

绑定MFA设备

PUT /v3.0/OS-MFA/mfa-devices/bind

iam:mfa:bindMFADevice

-

-

解绑MFA设备

PUT /v3.0/OS-MFA/mfa-devices/unbind

iam:mfa:unbindMFADevice

-

-

创建虚拟MFA设备密钥

POST /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:createVirtualMFADevice

-

-

删除MFA设备

DELETE /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:deleteVirtualMFADevice

-

-

项目管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询项目列表

GET /v3/projects

iam:projects:listProjects

-

-

创建项目

POST /v3/projects

iam:projects:createProject

-

-

修改项目信息

PATCH /v3/projects/{project_id}

iam:projects:updateProject

-

-

设置项目状态

PUT /v3-ext/projects/{project_id}

iam:projects:updateProject

-

-

查询指定IAM用户的项目列表

GET /v3/users/{user_id}/projects

iam:projects:listProjectsForUser

-

-

删除指定项目

×

iam:projects:deleteProject

-

-

查询指定项目的配额

GET /v3.0/OS-QUOTA/projects/{project_id}

iam:quotas:listQuotasForProject

-

-

账号管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询账号配额

GET /v3.0/OS-QUOTA/domains/{domain_id}

iam:quotas:listQuotas

-

-

IAM用户管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

管理员查询IAM用户列表

GET /v3/users

iam:users:listUsers

-

-

管理员创建IAM用户

POST /v3/users

iam:users:createUser

-

-

管理员修改IAM用户信息

PATCH /v3/users/{user_id}

iam:users:updateUser

-

-

管理员删除IAM用户

DELETE /v3/users/{user_id}

iam:users:deleteUser

-

-

管理员创建IAM用户(推荐)

POST /v3.0/OS-USER/users

iam:users:createUser

-

-

查询用户详情(包含邮箱和手机号码)

GET /v3.0/OS-USER/users/{user_id}

iam:users:getUser

-

-

查询IAM用户详情

GET /v3/users/{user_id}

iam:users:getUser

-

-

管理员重置IAM用户密码

×

iam:users:resetUserPassword

-

-

设置登录保护

×

iam:users:setUserLoginProtect

-

-

查询指定项目上有权限的用户列表

×

iam:users:listUsersForProject

-

-

查询IAM用户的MFA绑定信息列表

GET /v3.0/OS-MFA/virtual-mfa-devices

iam:mfa:listVirtualMFADevices

-

-

查询指定IAM用户的MFA绑定信息

GET /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device

iam:mfa:getVirtualMFADevice

-

-

查询IAM用户的登录保护状态信息列表

GET /v3.0/OS-USER/login-protects

iam:users:listUserLoginProtects

-

-

查询指定IAM用户的登录保护状态信息

GET /v3.0/OS-USER/users/{user_id}/login-protect

iam:users:getUserLoginProtect

-

-

用户组管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询IAM用户所属用户组

GET /v3/users/{user_id}/groups

iam:groups:listGroupsForUser

-

-

管理员查询用户组所包含的IAM用户

GET /v3/groups/{group_id}/users

iam:users:listUsersForGroup

-

-

查询用户组列表

GET /v3/groups

iam:groups:listGroups

-

-

查询用户组详情

GET /v3/groups/{group_id}

iam:groups:getGroup

-

-

创建用户组

POST /v3/groups

iam:groups:createGroup

-

-

更新用户组

PATCH /v3/groups/{group_id}

iam:groups:updateGroup

-

-

删除用户组

DELETE /v3/groups/{group_id}

iam:groups:deleteGroup

iam:permissions:removeUserFromGroup

iam:permissions:revokeRoleFromGroup

iam:permissions:revokeRoleFromGroupOnProject

iam:permissions:revokeRoleFromGroupOnDomain

-

-

查询用户是否在用户组中

HEAD /v3/groups/{group_id}/users/{user_id}

iam:permissions:checkUserInGroup

-

-

添加IAM用户到用户组

PUT /v3/groups/{group_id}/users/{user_id}

iam:permissions:addUserToGroup

-

-

移除用户组中的IAM用户

DELETE /v3/groups/{group_id}/users/{user_id}

iam:permissions:removeUserFromGroup

-

-

权限管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询权限列表

GET /v3/roles

iam:roles:listRoles

-

-

查询权限详情

GET /v3/roles/{role_id}

iam:roles:getRole

-

-

查询租户授权信息

GET /v3.0/OS-PERMISSION/role-assignments

iam:permissions:listRoleAssignments

查询全局服务中的用户组权限

GET /v3/domains/{domain_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnDomain

-

-

查询项目服务中的用户组权限

GET /v3/projects/{project_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnProject

-

-

为用户组授予全局服务权限

PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnDomain

-

-

为用户组授予项目服务权限

PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnProject

-

-

移除用户组的项目服务权限

DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnProject

-

-

移除用户组的全局服务权限

DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnDomain

-

-

查询用户组是否拥有全局服务权限

HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

iam:permissions:checkRoleForGroupOnDomain

-

-

查询用户组是否拥有项目服务权限

HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:checkRoleForGroupOnProject

-

-

为用户组授予所有项目服务权限

PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

iam:permissions:grantRoleToGroup

-

-

查询用户在指定项目上拥有的权限

×

iam:permissions:listRolesForUserOnProject

-

-

查询用户组的所有权限

×

iam:permissions:listRolesForGroup

-

-

查询用户组是否拥有指定权限

×

iam:permissions:checkRoleForGroup

-

-

移除用户组的指定权限

×

iam:permissions:revokeRoleFromGroup

-

-

查询账号授权记录

×

iam:permissions:listRoleAssignments

-

-

自定义策略管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询自定义策略列表

GET /v3.0/OS-ROLE/roles

iam:roles:listRoles

-

-

查询自定义策略详情

GET /v3.0/OS-ROLE/roles/{role_id}

iam:roles:getRole

-

-

创建云服务自定义策略

POST /v3.0/OS-ROLE/roles

iam:roles:createRole

-

-

修改云服务自定义策略

PATCH /v3.0/OS-ROLE/roles/{role_id}

iam:roles:updateRole

-

-

删除自定义策略

DELETE /v3.0/OS-ROLE/roles/{role_id}

iam:roles:deleteRole

-

-

委托管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

创建委托

POST /v3.0/OS-AGENCY/agencies

iam:agencies:createAgency

-

-

查询指定条件下的委托列表

GET /v3.0/OS-AGENCY/agencies

iam:agencies:listAgencies

-

-

查询委托详情

GET /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:getAgency

-

-

修改委托

PUT /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:updateAgency

-

-

删除委托

DELETE /v3.0/OS-AGENCY/agencies/{agency_id}

iam:agencies:deleteAgency

-

-

为委托授予项目服务权限

PUT /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:grantRoleToAgencyOnProject

-

-

查询委托是否拥有项目服务权限

HEAD /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:checkRoleForAgencyOnProject

-

-

查询项目服务中的委托权限

GET /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles

iam:permissions:listRolesForAgencyOnProject

-

-

移除委托的项目服务权限

DELETE /v3.0/OS-AGENCY/projects/{project_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:revokeRoleFromAgencyOnProject

-

-

为委托授予全局服务权限

PUT /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:grantRoleToAgencyOnDomain

-

-

查询委托是否拥有全局服务权限

HEAD /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:checkRoleForAgencyOnDomain

-

-

查询全局服务中的委托权限

GET /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles

iam:permissions:listRolesForAgencyOnDomain

-

-

移除委托的全局服务权限

DELETE /v3.0/OS-AGENCY/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}

iam:permissions:revokeRoleFromAgencyOnDomain

-

-

查询委托的所有权限

GET /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/inherited_to_projects

iam:permissions:listRolesForAgency

-

-

查询委托是否拥有指定权限

HEAD /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:permissions:checkRoleForAgency

-

-

为委托授予指定权限

PUT /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:permissions:grantRoleToAgency

-

-

移除委托的指定权限

DELETE /v3.0/OS-INHERIT/domains/{domain_id}/agencies/{agency_id}/roles/{role_id}/inherited_to_projects

iam:permissions:revokeRoleFromAgency

-

-

企业项目管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询企业项目关联的用户组

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups

iam:permissions:listGroupsOnEnterpriseProject

-

查询企业项目已关联用户组的权限

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles

iam:permissions:listRolesForGroupOnEnterpriseProject

-

基于用户组为企业项目授权

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:grantRoleToGroupOnEnterpriseProject

-

删除企业项目关联的用户组权限

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/groups/{group_id}/roles/{role_id}

iam:permissions:revokeRoleFromGroupOnEnterpriseProject

-

查询用户组关联的企业项目

GET /v3.0/OS-PERMISSION/groups/{group_id}/enterprise-projects

iam:permissions:listEnterpriseProjectsForGroup

-

查询用户直接关联的企业项目

GET /v3.0/OS-PERMISSION/users/{user_id}/enterprise-projects

iam:permissions:listEnterpriseProjectsForUser

-

查询企业项目直接关联用户

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users

iam:permissions:listUsersForEnterpriseProject

-

查询企业项目直接关联用户的角色

GET /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles

iam:permissions:listRolesForUserOnEnterpriseProject

-

基于用户为企业项目授权

PUT /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:permissions:grantRoleToUserOnEnterpriseProject

-

删除企业项目直接关联用户的权限

DELETE /v3.0/OS-PERMISSION/enterprise-projects/{enterprise_project_id}/users/{user_id}/roles/{role_id}

iam:permissions:revokeRoleFromUserOnEnterpriseProject

-

安全设置

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

修改账号操作保护策略

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securitypolicies:updateProtectPolicy

-

-

查询账号操作保护策略

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/protect-policy

iam:securitypolicies:getProtectPolicy

-

-

修改账号密码策略

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securitypolicies:updatePasswordPolicy

-

-

查询账号密码策略

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/password-policy

iam:securitypolicies:getPasswordPolicy

-

-

修改账号登录策略

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securitypolicies:updateLoginPolicy

-

-

查询账号登录策略

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/login-policy

iam:securitypolicies:getLoginPolicy

-

-

修改账号控制台访问策略

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securitypolicies:updateConsoleAclPolicy

-

-

查询账号控制台访问策略

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/console-acl-policy

iam:securitypolicies:getConsoleAclPolicy

-

-

修改账号接口访问策略

PUT /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securitypolicies:updateApiAclPolicy

-

-

查询账号接口访问策略

GET /v3.0/OS-SECURITYPOLICY/domains/{domain_id}/api-acl-policy

iam:securitypolicies:getApiAclPolicy

-

-

联邦身份认证管理

权限

对应API接口

授权项

IAM项目

(Project)

企业项目

(Enterprise Project)

查询身份提供商列表

GET /v3/OS-FEDERATION/identity_providers

iam:identityProviders:listIdentityProviders

-

-

查询身份提供商详情

GET /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:getIdentityProvider

-

-

创建SAML身份提供商

PUT /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:createIdentityProvider

-

-

修改SAML身份提供商配置

PATCH /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:updateIdentityProvider

-

-

删除SAML身份提供商

DELETE /v3/OS-FEDERATION/identity_providers/{id}

iam:identityProviders:deleteIdentityProvider

-

-

创建OIDC身份提供商

POST /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:createOpenIDConnectConfig

-

-

修改OIDC身份提供商配置

PUT /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:updateOpenIDConnectConfig

-

-

查询OIDC身份提供商

GET /v3.0/OS-FEDERATION/identity-providers/{idp_id}/openid-connect-config

iam:identityProviders:getOpenIDConnectConfig

-

-

查询映射列表

GET /v3/OS-FEDERATION/mappings

iam:identityProviders:listMappings

-

-

查询映射详情

GET /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:getMapping

-

-

注册映射

PUT /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:createMapping

-

-

更新映射

PATCH /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:updateMapping

-

-

删除映射

DELETE /v3/OS-FEDERATION/mappings/{id}

iam:identityProviders:deleteMapping

-

-

查询协议列表

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

iam:identityProviders:listProtocols

-

-

查询协议详情

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:getProtocol

-

-

注册协议

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:createProtocol

-

-

更新协议

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:updateProtocol

-

-

删除协议

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

iam:identityProviders:deleteProtocol

-

-

查询Metadata文件

GET /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:getIDPMetadata

-

-

导入Metadata文件

POST /v3-ext/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/metadata

iam:identityProviders:createIDPMetadata

-

-
父主题: 权限及授权项