Atom feed of this document
  
 

 Groups

A group is a collection of users. Administrators can create groups and add users to them. Then, rather than assign a role to each user individually, assign a role to the group. Every group is in a domain. Groups were introduced with the Identity API v3.

Identity API V3 provides the following group-related operations:

  • Create a group

  • Delete a group

  • Update a group (change its name or description)

  • Add a user to a group

  • Remove a user from a group

  • List group members

  • List groups for a user

  • Assign a role on a tenant to a group

  • Assign a role on a domain to a group

  • Query role assignments to groups

[Note]Note

The Identity service server might not allow all operations. For example, if using the Identity server with the LDAP Identity back end and group updates are disabled, then a request to create, delete, or update a group fails.

Here are a couple of examples:

  • Group A is granted Role A on Tenant A. If User A is a member of Group A, when User A gets a token scoped to Tenant A, the token also includes Role A.

  • Group B is granted Role B on Domain B. If User B is a member of Domain B, if User B gets a token scoped to Domain B, the token also includes Role B.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...