Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

What is the authorization scope of a federated user ?

I am trying to understand the scope of authorizations of a federated user(ephemeral user). Actually I want to authorize a federated user to do the following tasks: 1. List/update/create/delete any domain 2. List/update/create/delete any project

I am not sure if a federated user would be able to perform all the operations I have mentioned above.

Could you please help me understand the scope of authorization of a federated user ?

I have already done the following things but I am unable to get the desired result:

  1. I created a mapping rule in which admin group is mapped to the ephemeral user.
  2. I created a new role cloud_admin and changed the Identity policy.json file to grant all the above operations. I assigned this new role to a newly created group called cloud_group. I wrote a mapping rule to map this group to the federated user. The authenticate is successful. But when I tried to fetch the projects, it only display one project: admin.

Please help.