201f5c6639
backport: havana Change-Id: I6851ef705247d619e78fb63cbcdf1ce804a548f1 Partial-Bug: #1121866
71 lines
2.8 KiB
XML
71 lines
2.8 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="identity-groups">
|
|
<title>Groups</title>
|
|
<para>A group is a collection of users. Administrators can
|
|
create groups and add users to them. Then, rather than
|
|
assign a role to each user individually, assign a role to
|
|
the group. Every group is in a domain. Groups were
|
|
introduced with version 3 of the Identity API (the Grizzly
|
|
release of Identity Service).</para>
|
|
<para>Identity API V3 provides the following group-related
|
|
operations:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Create a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Delete a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Update a group (change its name or
|
|
description)</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a user to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Remove a user from a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>List group members</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>List groups for a user</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Assign a role on a tenant to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Assign a role on a domain to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Query role assignments to groups</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note>
|
|
<para>The Identity service server might not allow all
|
|
operations. For example, if using the Identity server
|
|
with the LDAP Identity back end and group updates are
|
|
disabled, then a request to create, delete, or update
|
|
a group fails.</para>
|
|
</note>
|
|
<para>Here are a couple examples:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Group A is granted Role A on Tenant A. If User A
|
|
is a member of Group A, when User A gets a token
|
|
scoped to Tenant A, the token also includes Role
|
|
A.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Group B is granted Role B on Domain B. If User B
|
|
is a member of Domain B, if User B gets a token
|
|
scoped to Domain B, the token also includes Role
|
|
B.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|