Ask Your Question

Revision history [back]

For get_user, update_user and delete_user, the target is indeed a user and target.project.id exists. For list_users and create_user, the target is not a user. I don't know if these APIs have a target at all.

Also, the APIs for listing and creating users don't use projects or roles as parameters. This means that no API creates or lists users for your project.

To list users for your project, you have to list all users, then in a second pass filter them by project. To create a user in your project, you first create a user, then assign it a role, which links it to a project.

I don't think what you want is possible in the current policy framework. The only way to delegate user management is via the domain admin concept.

For get_user, update_user and delete_user, the target is indeed a user and target.project.id exists. For list_users and create_user, the target is not a user. I don't know if these APIs have a target at all.

Also, the APIs for listing and creating users don't use projects have project or roles as role parameters. This means that there is no API that creates or lists users for your a certain project.

To list users for your project, you have to list all users, then in a second pass filter them by project. To create a user in your project, you first create a user, then assign it a role, which links link it to a project.project by assigning it a role.

I don't think what you want is possible in the current policy framework. The only way to delegate user management is via the domain admin concept.