osc identity domain group role
Domain group roles
OpenStack services typically determine whether a user’s API request should be allowed using Role Based Access Control (RBAC). For OpenStack this means the service compares the roles that user has on the project (as indicated by the roles in the token), against the roles required for the API in question (as defined in the service’s policy file). A user obtains roles on a project by having these assigned to them via the Identity service API.
Roles must initially be created as entities via the Identity services API and, once created, can then be assigned. You can assign roles to a user or group on a project, including projects owned by other domains. You can also assign roles to a user or group on a domain, although this is only currently relevant for using a domain scoped token to execute domain-level Identity service API requests.
Usage: osc identity domain group role <COMMAND>
Available subcommands:
osc identity domain group role delete— Unassign role from group on domainosc identity domain group role list— List role assignments for group on domainosc identity domain group role set— Assign role to group on domainosc identity domain group role show— Check if a group has a specific role on a domain