openstack-manuals/doc/common/section_keystone-concepts-group-management.xml
Chandan kumar 201f5c6639 Added complete Doc Conventions in common guide.
backport: havana
Change-Id: I6851ef705247d619e78fb63cbcdf1ce804a548f1
Partial-Bug: #1121866
2013-12-02 10:18:32 +05:30

71 lines
2.8 KiB
XML

<?xml version="1.0" encoding="utf-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="identity-groups">
<title>Groups</title>
<para>A group is a collection of users. Administrators can
create groups and add users to them. Then, rather than
assign a role to each user individually, assign a role to
the group. Every group is in a domain. Groups were
introduced with version 3 of the Identity API (the Grizzly
release of Identity Service).</para>
<para>Identity API V3 provides the following group-related
operations:</para>
<itemizedlist>
<listitem>
<para>Create a group</para>
</listitem>
<listitem>
<para>Delete a group</para>
</listitem>
<listitem>
<para>Update a group (change its name or
description)</para>
</listitem>
<listitem>
<para>Add a user to a group</para>
</listitem>
<listitem>
<para>Remove a user from a group</para>
</listitem>
<listitem>
<para>List group members</para>
</listitem>
<listitem>
<para>List groups for a user</para>
</listitem>
<listitem>
<para>Assign a role on a tenant to a group</para>
</listitem>
<listitem>
<para>Assign a role on a domain to a group</para>
</listitem>
<listitem>
<para>Query role assignments to groups</para>
</listitem>
</itemizedlist>
<note>
<para>The Identity service server might not allow all
operations. For example, if using the Identity server
with the LDAP Identity back end and group updates are
disabled, then a request to create, delete, or update
a group fails.</para>
</note>
<para>Here are a couple examples:</para>
<itemizedlist>
<listitem>
<para>Group A is granted Role A on Tenant A. If User A
is a member of Group A, when User A gets a token
scoped to Tenant A, the token also includes Role
A.</para>
</listitem>
<listitem>
<para>Group B is granted Role B on Domain B. If User B
is a member of Domain B, if User B gets a token
scoped to Domain B, the token also includes Role
B.</para>
</listitem>
</itemizedlist>
</section>