Query CloudSSO Access Assignments with ListAccessAssignments - CloudSSO - Alibaba Cloud - CloudSSO

Queries the access permissions that are assigned.

Operation description

This topic provides an example on how to query the assigned access permissions on the account 114240524784**** in your resource directory. The returned result shows that access permissions on the account in your resource directory is assigned to one user.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

cloudsso:ListAccessAssignments

list

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
DirectoryId	string	Yes	The directory ID.	d-00fc2p61****
AccessConfigurationId	string	No	The ID of the access configuration. The ID can be used to filter access permissions.	ac-00jhtfl8thteu6uj****
TargetType	string	No	The type of the task object. The type can be used to filter access permissions. Set the value to RD-Account, which specifies the accounts in the resource directory. Note You can use the type to filter access permissions only if you specify both `TargetId` and `TargetType`.	RD-Account
TargetId	string	No	The ID of the task object. The ID can be used to filter access permissions. Note You can use the type to filter access permissions only if you specify both `TargetId` and `TargetType`.	114240524784****
PrincipalType	string	No	The type of the CloudSSO identity. The type can be used to filter access permissions. Valid values: User Group Note You can use the type to filter access permissions only if you specify both PrincipalId and `PrincipalType`.``	User
PrincipalId	string	No	The ID of the CloudSSO identity. The ID can be used to filter access permissions. If you set `PrincipalType` to User, set `PrincipalId` to the ID of the CloudSSO user. If you set `PrincipalType` to Group, set `PrincipalId` to the ID of the CloudSSO group. Note You can use the type to filter access permissions only if you specify both PrincipalId and `PrincipalType`.``	u-00q8wbq42wiltcrk****
NextToken	string	No	The pagination token that is used in the next request to retrieve a new page of results. If this is your first time to call this operation, you do not need to specify the `NextToken` parameter. When you call this operation for the first time, if the total number of entries to return exceeds the value of `MaxResults`, the entries are truncated. Only the entries that match the value of `MaxResults` are returned, and the excess entries are not returned. In this case, the value of the response parameter `IsTruncated` is `true`, and `NextToken` is returned. In the next call, you can use the value of `NextToken` and maintain the settings of the other request parameters to query the excess entries. You can repeat the call until the value of `IsTruncated` becomes `false`. This way, all entries are returned.	K1c3o9K7pFxoTtxH1Nm7MMLb7zrDGvftYBQBPDVv7AD3a8yhRb3Mk8L9ivmN6bFSjfkZNTAg3h4****
MaxResults	integer	No	The maximum number of entries per page. Valid values: 1 to 20. Default value: 10.	10

Response elements

Element	Type	Description	Example
	object	The returned results.
NextToken	string	The returned value of NextToken is a pagination token, which can be used in the next request to retrieve a new page of results. Note This parameter is returned only when the value of IsTruncated is `true`.``	K1c3o9K7pFxoTtxH1Nm7MMLb7zrDGvftYBQBPDVv7AD3a8yhRb3Mk8L9ivmN6bFSjfkZNTAg3h4****
RequestId	string	The request ID.	66898413-EB80-556D-9429-06FE3548F672
MaxResults	integer	The maximum number of entries returned per page.	10
TotalCounts	integer	The total number of entries returned.	1
IsTruncated	boolean	Indicates whether the queried entries are truncated. Valid values: true false	false
AccessAssignments	array<object>	The access permissions that are assigned.
	object
AccessConfigurationName	string	The name of the access configuration.	ECS-Admin
TargetPathName	string	The path name of the task object in the resource directory.	rd-3G****/root/dev-test
PrincipalId	string	The ID of the CloudSSO identity.	u-00q8wbq42wiltcrk****
TargetPath	string	The path ID of the task object in the resource directory.	rd-3G**/r-Wm/114240524784**
CreateTime	string	The time when the access permissions were assigned.	2021-11-04T10:03:08Z
TargetType	string	The type of the task object. The value is fixed as RD-Account, which indicates the accounts in the resource directory.	RD-Account
PrincipalName	string	The name of the CloudSSO identity.	Alice
TargetName	string	The name of the task object.	dev-test
AccessConfigurationId	string	The ID of the access configuration.	ac-00jhtfl8thteu6uj****
PrincipalType	string	The type of the CloudSSO identity. Valid values: User Group	User
TargetId	string	The ID of the task object.	114240524784****

Examples

Success response

JSON format

{
  "NextToken": "K1c3o9K7pFxoTtxH1Nm7MMLb7zrDGvftYBQBPDVv7AD3a8yhRb3Mk8L9ivmN6bFSjfkZNTAg3h4****",
  "RequestId": "66898413-EB80-556D-9429-06FE3548F672",
  "MaxResults": 10,
  "TotalCounts": 1,
  "IsTruncated": false,
  "AccessAssignments": [
    {
      "AccessConfigurationName": "ECS-Admin",
      "TargetPathName": "rd-3G****/root/dev-test",
      "PrincipalId": "u-00q8wbq42wiltcrk****",
      "TargetPath": "rd-3G****/r-Wm****/114240524784****",
      "CreateTime": "2021-11-04T10:03:08Z",
      "TargetType": "RD-Account",
      "PrincipalName": "Alice",
      "TargetName": "dev-test",
      "AccessConfigurationId": "ac-00jhtfl8thteu6uj****",
      "PrincipalType": "User",
      "TargetId": "114240524784****"
    }
  ]
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.