osc identity domain user role
Domain user roles
OpenStack services typically determine whether a user’s API request should be allowed using Role Based Access Control (RBAC). For OpenStack this means the service compares the roles that user has on the project (as indicated by the roles in the token), against the roles required for the API in question (as defined in the service’s policy file). A user obtains roles on a project by having these assigned to them via the Identity service API.
Roles must initially be created as entities via the Identity services API and, once created, can then be assigned. You can assign roles to a user or group on a project, including projects owned by other domains. You can also assign roles to a user or group on a domain, although this is only currently relevant for using a domain scoped token to execute domain-level Identity service API requests.
Usage: osc identity domain user role <COMMAND>
Available subcommands:
osc identity domain user role delete— Unassigns role from user on domainosc identity domain user role list— List role assignments for user on domainosc identity domain user role set— Assign role to user on domainosc identity domain user role show— Check if a user has a specific role on the domain