# Pastebin q6ldi3ua
{
    "cloud_admin": "role:admin and token.is_admin_project:True",
    "service_admin": "role:admin and token.project.name:service and token.project.domain.name:Service",

    "identity:get_application_credential": "!",
    "identity:list_application_credentials": "!",
    "identity:create_application_credential": "!",
    "identity:delete_application_credential": "!",

    "identity:authorize_request_token": "!",
    "identity:get_access_token": "!",
    "identity:get_access_token_role": "!",
    "identity:list_access_tokens": "!",
    "identity:list_access_token_roles": "!",
    "identity:delete_access_token": "!",

    "identity:get_auth_catalog": "!",
    "identity:get_auth_projects": "!",
    "identity:get_auth_domains": "!",
    "identity:get_auth_system": "!",

    "identity:get_consumer": "!",
    "identity:list_consumers": "!",
    "identity:create_consumer": "!",
    "identity:update_consumer": "!",
    "identity:delete_consumer": "!",

    "identity:get_credential": "!",
    "identity:list_credentials": "!",
    "identity:create_credential": "!",
    "identity:update_credential": "!",
    "identity:delete_credential": "!",

    "identity:get_domain": "!",
    "identity:list_domains": "!",
    "identity:create_domain": "!",
    "identity:update_domain": "!",
    "identity:delete_domain": "!",

    "identity:create_domain_config": "!",
    "identity:get_domain_config": "!",
    "identity:get_security_compliance_domain_config": "!",
    "identity:update_domain_config": "!",
    "identity:delete_domain_config": "!",
    "identity:get_domain_config_default": "!",

    "identity:ec2_get_credential": "!",
    "identity:ec2_list_credentials": "!",
    "identity:ec2_create_credential": "!",
    "identity:ec2_delete_credential": "!",

    "identity:get_endpoint": "!",
    "identity:list_endpoints": "rule:admin_required",
    "identity:create_endpoint": "rule:service_role",
    "identity:update_endpoint": "!",
    "identity:delete_endpoint": "!",

    "identity:create_endpoint_group": "!",
    "identity:list_endpoint_groups": "!",
    "identity:get_endpoint_group": "!",
    "identity:update_endpoint_group": "!",
    "identity:delete_endpoint_group": "!",
    "identity:list_projects_associated_with_endpoint_group": "!",
    "identity:list_endpoints_associated_with_endpoint_group": "!",
    "identity:get_endpoint_group_in_project": "!",
    "identity:list_endpoint_groups_for_project": "!",
    "identity:add_endpoint_group_to_project": "!",
    "identity:remove_endpoint_group_from_project": "!",

    "identity:check_grant": "rule:cloud_admin or rule:service_admin or ((role:admin or role:project_manager) and project_id:%(project_id)s)",
    "identity:list_grants": "rule:cloud_admin or rule:service_admin or ((role:admin or role:project_manager) and project_id:%(project_id)s)",
    "identity:create_grant": "rule:cloud_admin or (role:admin and project_id:%(project_id)s)",
    "identity:revoke_grant": "rule:cloud_admin or (role:admin and project_id:%(project_id)s)",

    "identity:list_system_grants_for_user": "!",
    "identity:check_system_grant_for_user": "!",
    "identity:create_system_grant_for_user": "!",
    "identity:revoke_system_grant_for_user": "!",

    "identity:list_system_grants_for_group": "!",
    "identity:check_system_grant_for_group": "!",
    "identity:create_system_grant_for_group": "!",
    "identity:revoke_system_grant_for_group": "!",

    "identity:get_group": "rule:admin_required",
    "identity:list_groups": "rule:admin_required",
    "identity:list_groups_for_user": "rule:admin_required or rule:owner",
    "identity:create_group": "!",
    "identity:update_group": "!",
    "identity:delete_group": "!",
    "identity:list_users_in_group": "rule:admin_required",
    "identity:remove_user_from_group": "!",
    "identity:check_user_in_group": "!",
    "identity:add_user_to_group": "!",

    "identity:create_identity_provider": "!",
    "identity:list_identity_providers": "!",
    "identity:get_identity_provider": "!",
    "identity:update_identity_provider": "!",
    "identity:delete_identity_provider": "!",

    "identity:get_implied_role": "!",
    "identity:list_implied_roles": "!",
    "identity:create_implied_role": "!",
    "identity:delete_implied_role": "!",
    "identity:list_role_inference_rules": "!",
    "identity:check_implied_role": "!",

    "identity:get_limit_model": "!",
    "identity:get_limit": "!",
    "identity:list_limits": "!",
    "identity:create_limits": "!",
    "identity:update_limit": "!",
    "identity:delete_limit": "!",

    "identity:create_mapping": "!",
    "identity:get_mapping": "!",
    "identity:list_mappings": "!",
    "identity:delete_mapping": "!",
    "identity:update_mapping": "!",

    "identity:get_policy": "!",
    "identity:list_policies": "!",
    "identity:create_policy": "!",
    "identity:update_policy": "!",
    "identity:delete_policy": "!",

    "identity:create_policy_association_for_endpoint": "!",
    "identity:check_policy_association_for_endpoint": "!",
    "identity:delete_policy_association_for_endpoint": "!",
    "identity:create_policy_association_for_service": "!",
    "identity:check_policy_association_for_service": "!",
    "identity:delete_policy_association_for_service": "!",
    "identity:create_policy_association_for_region_and_service": "!",
    "identity:check_policy_association_for_region_and_service": "!",
    "identity:delete_policy_association_for_region_and_service": "!",
    "identity:get_policy_for_endpoint": "!",
    "identity:list_endpoints_for_policy": "!",

    "identity:get_project": "rule:cloud_admin or project_id:%(target.project.id)s",
    "identity:list_projects": "rule:cloud_admin or rule:service_admin",
    "identity:list_user_projects": "rule:cloud_admin or user_id:%(user_id)s",
    "identity:create_project": "rule:cloud_admin",
    "identity:update_project": "rule:cloud_admin or (role:admin and project_id:%(target.project.id)s)",
    "identity:delete_project": "rule:cloud_admin",

    "identity:list_project_tags": "!",
    "identity:get_project_tag": "!",
    "identity:update_project_tags": "!",
    "identity:create_project_tag": "!",
    "identity:delete_project_tags": "!",
    "identity:delete_project_tag": "!",

    "identity:list_projects_for_endpoint": "!",
    "identity:add_endpoint_to_project": "!",
    "identity:check_endpoint_in_project": "!",
    "identity:list_endpoints_for_project": "!",
    "identity:remove_endpoint_from_project": "!",

    "identity:create_protocol": "!",
    "identity:update_protocol": "!",
    "identity:get_protocol": "!",
    "identity:list_protocols": "!",
    "identity:delete_protocol": "!",

    "identity:get_region": "rule:admin_required",
    "identity:list_regions": "rule:admin_required",
    "identity:create_region": "!",
    "identity:update_region": "!",
    "identity:delete_region": "!",

    "identity:get_registered_limit": "!",
    "identity:list_registered_limits": "!",
    "identity:create_registered_limits": "!",
    "identity:update_registered_limit": "!",
    "identity:delete_registered_limit": "!",

    "identity:list_revoke_events": "!",

    "identity:get_role": "rule:admin_required",
    "identity:list_roles": "rule:admin_required",
    "identity:create_role": "rule:service_role",
    "identity:update_role": "!",
    "identity:delete_role": "!",

    "identity:get_domain_role": "!",
    "identity:list_domain_roles": "!",
    "identity:create_domain_role": "!",
    "identity:update_domain_role": "!",
    "identity:delete_domain_role": "!",

    "identity:list_role_assignments": "rule:cloud_admin or rule:service_admin or ((role:admin or role:project_manager) and project_id:%(scope.project.id)s)",
    "identity:list_role_assignments_for_tree": "!",

    "identity:get_service": "!",
    "identity:list_services": "rule:admin_required",
    "identity:create_service": "rule:service_role",
    "identity:update_service": "!",
    "identity:delete_service": "!",

    "identity:create_service_provider": "!",
    "identity:list_service_providers": "!",
    "identity:get_service_provider": "!",
    "identity:update_service_provider": "!",
    "identity:delete_service_provider": "!",

    "identity:revocation_list": "!",
    "identity:check_token": "rule:admin_required or rule:token_subject",
    "identity:validate_token": "rule:admin_required or rule:service_role or rule:token_subject",
    "identity:revoke_token": "rule:admin_required or rule:token_subject",

    "identity:create_trust": "!",
    "identity:list_trusts": "!",
    "identity:list_roles_for_trust": "!",
    "identity:get_role_for_trust": "!",
    "identity:delete_trust": "!",
    "identity:get_trust": "!",

    "identity:get_user": "rule:admin_required or rule:owner",
    "identity:list_users": "rule:admin_required",
    "identity:list_projects_for_user": "",
    "identity:list_domains_for_user": "!",
    "identity:create_user": "!",
    "identity:update_user": "!",
    "identity:delete_user": "!"