openstack-manuals/doc/common/section_keystone-concepts-group-management.xml
Tom Fifield e4aac82b07 Remove old references in prep for Icehouse
A standard pre-release patch, looking for any obsolete text to remove,
and references to newly unsupported releases to remove.

Feel free to update the patch if you find other things.

Review request: this patch touches many files in a small way.
Please try and focus on the small changes, and not the rest of the
file ... since many of them do need an edit  ;)

Change-Id: I383c51acf149bb6553ddfd33cad382f5dd15fe62
2014-04-11 08:13:54 -05:00

72 lines
2.8 KiB
XML

<?xml version="1.0" encoding="utf-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="identity-groups">
<title>Groups</title>
<para>A group is a collection of users. Administrators can
create groups and add users to them. Then, rather than assign
a role to each user individually, assign a role to the group.
Every group is in a domain. Groups were introduced with the
Identity API v3.</para>
<!--TODO: eventually remove the last sentence, when v3 is
commonplace -->
<para>Identity API V3 provides the following group-related
operations:</para>
<itemizedlist>
<listitem>
<para>Create a group</para>
</listitem>
<listitem>
<para>Delete a group</para>
</listitem>
<listitem>
<para>Update a group (change its name or
description)</para>
</listitem>
<listitem>
<para>Add a user to a group</para>
</listitem>
<listitem>
<para>Remove a user from a group</para>
</listitem>
<listitem>
<para>List group members</para>
</listitem>
<listitem>
<para>List groups for a user</para>
</listitem>
<listitem>
<para>Assign a role on a tenant to a group</para>
</listitem>
<listitem>
<para>Assign a role on a domain to a group</para>
</listitem>
<listitem>
<para>Query role assignments to groups</para>
</listitem>
</itemizedlist>
<note>
<para>The Identity service server might not allow all
operations. For example, if using the Identity server
with the LDAP Identity back end and group updates are
disabled, then a request to create, delete, or update
a group fails.</para>
</note>
<para>Here are a couple of examples:</para>
<itemizedlist>
<listitem>
<para>Group A is granted Role A on Tenant A. If User A
is a member of Group A, when User A gets a token
scoped to Tenant A, the token also includes Role
A.</para>
</listitem>
<listitem>
<para>Group B is granted Role B on Domain B. If User B
is a member of Domain B, if User B gets a token
scoped to Domain B, the token also includes Role
B.</para>
</listitem>
</itemizedlist>
</section>