{ "admin_required": "role:admin or is_admin:1", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s", "admin_or_owner": "rule:admin_required or rule:owner", "token_subject": "user_id:%(target.token.user_id)s", "admin_or_token_subject": "rule:admin_required or rule:token_subject", "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", "protected_domains": "'heat':%(target.domain.name)s or 'magnum':%(target.domain.name)s", "protected_projects": "'admin':%(target.project.name)s or 'services':%(target.project.name)s", "protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s", "protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s", "protected_services": [["'aodh':%(target.user.name)s"], ["'barbican':%(target.user.name)s"], ["'ceilometer':%(target.user.name)s"], ["'cinder':%(target.user.name)s"], ["'glance':%(target.user.name)s"], ["'heat':%(target.user.name)s"], ["'neutron':%(target.user.name)s"], ["'nova':%(target.user.name)s"], ["'patching':%(target.user.name)s"], ["'sysinv':%(target.user.name)s"], ["'mtce':%(target.user.name)s"], ["'magnum':%(target.user.name)s"], ["'murano':%(target.user.name)s"], ["'panko':%(target.user.name)s"], ["'gnocchi':%(target.user.name)s"], ["'fm':%(target.user.name)s"]], "identity:delete_service": "rule:admin_required and not rule:protected_services", "identity:delete_domain": "rule:admin_required and not rule:protected_domains", "identity:delete_project": "rule:admin_required and not rule:protected_projects", "identity:delete_user": "rule:admin_required and not (rule:protected_admins or rule:protected_services)", "identity:change_password": "rule:admin_or_owner and not rule:protected_services", "identity:delete_role": "rule:admin_required and not rule:protected_roles", }