Ask Your Question

What is the authorization scope of a federated user ?

asked 2016-09-30 09:09:08 -0500

spsingh gravatar image

I am trying to understand the scope of authorizations of a federated user(ephemeral user). Actually I want to authorize a federated user to do the following tasks: 1. List/update/create/delete any domain 2. List/update/create/delete any project

I am not sure if a federated user would be able to perform all the operations I have mentioned above.

Could you please help me understand the scope of authorization of a federated user ?

I have already done the following things but I am unable to get the desired result:

  1. I created a mapping rule in which admin group is mapped to the ephemeral user.
  2. I created a new role cloud_admin and changed the Identity policy.json file to grant all the above operations. I assigned this new role to a newly created group called cloud_group. I wrote a mapping rule to map this group to the federated user. The authenticate is successful. But when I tried to fetch the projects, it only display one project: admin.

Please help.


edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-10-01 05:07:22 -0500

Chaithanya gravatar image

Federated Users can access all the projects in the Domain which the user belongs to. And cloud_admin can specify Domain to which the particular Federated users can access. If Domain is not specified explicitly, this will mean the user is meant to be ephemeral and automatically belongs to federated domain.

edit flag offensive delete link more


@ Chaithanya, thank you for response. Could you tell me how can cloud admin specify the domain to the federated user ? I tried the following mapping rule: ( But the user is mapped to Federated domain

spsingh gravatar imagespsingh ( 2016-10-01 08:13:20 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-09-30 09:09:08 -0500

Seen: 204 times

Last updated: Oct 01 '16