IAM Role and IAM Group

API Authority Management Function is realized by IAM Role and IAM Group. By linking IAM Role with IAM Group and/or IAM Group and the user, the execution authority of general users are available to be controlled.

IAM Role

IAM Role shows API execution permission and conditions. These are described in whitelist style.
The administrator can set an IAM Role by setting the parameters below to resources of request bodies.

basePath specifies each API end point which permits execution. Description methods are shown in the another table below.


ipAddress specifies the global IP address of the access source client that permits execution.


path specifies the URL's path that permits execution.


verb specifies a method that to permits execution. Four description such as GET/PUT/POST/DELETE are available.

Optional Elements

The value which is included in each API's query parameter or request body such as Tenant ID, User ID, etc. can be specified.

For each parameter, * (asterisk) is acceptable as a wild card.
Resources of an IAM Role accepts descriptions of multiple authorities. In this case, the OR condition is applied. (See AND/OR Condition at Authority Description for details.)
The following table shows description correspondence of each API end point and basePath:

Function Name

End point URL

Keystone keystone-[Region Name]-ecl.api.ntt.com /ecl-keystone

Management Function

sss-[Region Name]-ecl.api.ntt.com /ecl-sss

Network/Colocation Interconnectivity (1000BASE-LX/10GBASE-LR)

network-[Region Name]-ecl.api.ntt.com /ecl-network

Provider Connectivity

provider-connectivity-[Region Name]-ecl.api.ntt.com /ecl-provider-connectivity

Baremetal Server

baremetal-server-[Region Name]-ecl.api.ntt.com /ecl-baremetal-server

Remote Console Access

rca-[Region Name]-ecl.api.ntt.com /ecl-rca

Image Storage

glance-[Region Name]-ecl.api.ntt.com /ecl-glance

Virtual Server

nova-[Region Name]-ecl.api.ntt.com
cinder-[Region Name]-ecl.api.ntt.com


storage-[Region Name]-ecl.api.ntt.com /ecl-storage
Wasabi Object Storage api.ntt.com /ecl-objectstorage

Colocation Interconnectivity (1000BASE-T)/EnterpriseCloud Interconnectivity

interconnectivity-[Region Name]-ecl.api.ntt.com /ecl-interconnectivity

Dedicated Hyper-Visor

dedicated-hypervisor-[Region Name]-ecl.api.ntt.com /ecl-dedicated-hypervisor
Hybrid Cloud for Azure hc-azure-[Region Name]-ecl.api.ntt.com /ecl-hc-azure
Red Hat OpenShift Platform api.ntt.com /ecl-scduo


monitoring-[Region Name]-ecl.api.ntt.com /ecl-monitoring
DNS dns-[Region Name]-ecl.api.ntt.com /ecl-dns
WebRTC Platform webrtc-[Region Name]-ecl.api.ntt.com /ecl-webrtc


(Order API) mss-rfg-[Region Name]-ecl.api.ntt.com
(Portal API) mss-msa-[Region Name]-ecl.api.ntt.com


backup-[Region Name]-ecl.api.ntt.com /ecl-backup
Deployment Manager(heat) heat-[Region Name]-ecl.api.ntt.com /ecl-heat
For Middleware / GSLB / Power Systems soi-[Region Name]-ecl.api.ntt.com /ecl-soi

IAM Group

An IAM Group consists of some IAM Roles. The user belongs to any IAM Group. Execution Authority Control conducted by the IAM Role that is linked with IAM Group will be applied to the user.

Inter-relationship between IAM Group and User

The user belongs to any IAM Group. A newly created user will belong to Default Group at first. (See the Default Group and Default Role for the details of Default Group.)
The authority relating to the IAM Role, which is linked to the IAM Group that the user belongs, will be applied to the user. The administrator can link general users to the IAM Group or delete the linkage. The administrator cannot change the Group(s) which he/she belongs to.
An user can belong to multiple IAM Groups. In this case, each IAM Group's OR condition will be applied to the user. (See AND/OR Condition at Authority Description for details.)


Users who do not belong to any group cannot perform Smart Data Platform.

Inter-relationship between IAM Group and IAM Role

IAM Role also belongs to IAM Group like the user. Execution authority of the user belonging to an IAM Group will be controlled by the IAM Role that links to the IAM Group.
An IAM Role can link to multiple IAM Groups. If one particular group links with some IAM Roles, the AND condition will be applied to those roles. (See AND/OR Condition at Authority Description for details.)
At initial settings, Default Role is given allocated. (See Default Group and Default Role for details.)