e4aac82b07
A standard pre-release patch, looking for any obsolete text to remove, and references to newly unsupported releases to remove. Feel free to update the patch if you find other things. Review request: this patch touches many files in a small way. Please try and focus on the small changes, and not the rest of the file ... since many of them do need an edit ;) Change-Id: I383c51acf149bb6553ddfd33cad382f5dd15fe62
72 lines
2.8 KiB
XML
72 lines
2.8 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="identity-groups">
|
|
<title>Groups</title>
|
|
<para>A group is a collection of users. Administrators can
|
|
create groups and add users to them. Then, rather than assign
|
|
a role to each user individually, assign a role to the group.
|
|
Every group is in a domain. Groups were introduced with the
|
|
Identity API v3.</para>
|
|
<!--TODO: eventually remove the last sentence, when v3 is
|
|
commonplace -->
|
|
<para>Identity API V3 provides the following group-related
|
|
operations:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Create a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Delete a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Update a group (change its name or
|
|
description)</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Add a user to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Remove a user from a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>List group members</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>List groups for a user</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Assign a role on a tenant to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Assign a role on a domain to a group</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Query role assignments to groups</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note>
|
|
<para>The Identity service server might not allow all
|
|
operations. For example, if using the Identity server
|
|
with the LDAP Identity back end and group updates are
|
|
disabled, then a request to create, delete, or update
|
|
a group fails.</para>
|
|
</note>
|
|
<para>Here are a couple of examples:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Group A is granted Role A on Tenant A. If User A
|
|
is a member of Group A, when User A gets a token
|
|
scoped to Tenant A, the token also includes Role
|
|
A.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Group B is granted Role B on Domain B. If User B
|
|
is a member of Domain B, if User B gets a token
|
|
scoped to Domain B, the token also includes Role
|
|
B.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|