Verifying API AuthorityΒΆ

With APIs, the information below are available to be referred.

  • IAM Group List

  • IAM Role List

  • IAM Group User List

  • IAM Role Details

Note

By obtaining the IAM Group List, it becomes available to refer to the IAM Role List linking with the IAM Group.

To make sure the authority setting has been made appropriately, check the items below:

Check item

Contents to be checked

Execution of Keystone API

Whether or not the IAM Group and IAM Role that permit Keystone API execution have been created and linked each other. Whether or not the User List linked with the IAM Group that permits Keystone API execution has been obtained and the relevant user's User ID appears.
(Obtain Keystone's iam_group_id at IAM Group List , and confirm whether or not the relevant user's User ID has been linked appropriately at IAM Group User List .)
Linkage between IAM Group and
the relevant user
Whether or not the User List linked with the created IAM Group has been obtained and the relevant user's User ID appears.
(Obtain the IAM Group's iam_group_id that was created at IAM Group List , and confirm whether or not the relevant user's User ID has been linked at IAM Group User List .)
Linkage between IAM Group and
the IAM Role
Whether or not the IAM Group List has been obtained and the created IAM Role's ID and Name for the created Group appear.
(Confirm whether the created IAM Group and the created IAM Role have been linked each other at IAM Group List .)
Deletion of the linkage between the Default Group and
the relevant user
Whether or not the User List linked with the Default Group has been obtained and the relevant user's User ID doesn't appear.
(Obtain the Default Group's iam_group_id at IAM Group List , and confirm whether or not the relevant user's User ID is linked at IAM Group User List .)
No any linkage between the relevant user and other
IAM Group
Confirm the user is not linked with any other IAM Group which the client has created. If the user is linked with multiple IAM Groups, the OR condition will be applied.
(Obtain iam_group_id of the IAM Group List at IAM Group List , and confirm the relevant user is not linked with each IAM Group at IAM Group User List .)

Confirming IAM Role description

Obtain details of the created IAM Role, and confirm whether or not the resource descriptions has correctly what the user want to limit.
(Obtain iam_role_id of the IAM Role List at IAM Role List , and confirm whether or not the descriptions created for IAM Role has correctly reflect what the user want to limit at IAM Role Details .)
Permission on GET Operation Execution
(If the relevant user uses GUI.)
Whether or not the IAM Group and IAM Role which permit GET operation have been created and linked each other. The user list of IAM Group permitting GET operation has been obtained, and the relevant user's User ID appears.
(Obtain iam_role_id of IAM Group that permit GET operation at IAM Role List , and confirm whether or not the relevant user has been linked at IAM Group User List .)