ListAccessAssignments - CloudSSO - Alibaba Cloud Documentation Center

Queries the access permissions that are assigned.

Operation description

This topic provides an example on how to query the assigned access permissions on the account 114240524784**** in your resource directory. The returned result shows that access permissions on the account in your resource directory is assigned to one user.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
cloudsso:ListAccessAssignments	List	AccessConfiguration acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/{#AccessConfigurationId} AccessConfiguration acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/access-configuration/* Account acs:resourcemanager::{#accountId}:account/* Account acs:resourcemanager::{#accountId}:account/{#AccountId} User acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/{#UserId} Group acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/{#GroupId} User acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/user/* Group acs:cloudsso:{#regionId}:{#accountId}:directory/{#DirectoryId}/group/*	none	none

Request parameters

Parameter	Type	Required	Description	Example
DirectoryId	string	Yes	The directory ID.	d-00fc2p61****
AccessConfigurationId	string	No	The ID of the access configuration. The ID can be used to filter access permissions.	ac-00jhtfl8thteu6uj****
TargetType	string	No	The type of the task object. The type can be used to filter access permissions. Set the value to RD-Account, which specifies the accounts in the resource directory. Note You can use the type to filter access permissions only if you specify both `TargetId` and `TargetType`.	RD-Account
TargetId	string	No	The ID of the task object. The ID can be used to filter access permissions. Note You can use the type to filter access permissions only if you specify both `TargetId` and `TargetType`.	114240524784****
PrincipalType	string	No	The type of the CloudSSO identity. The type can be used to filter access permissions. Valid values: User Group Note You can use the type to filter access permissions only if you specify both PrincipalId and `PrincipalType`.``	User
PrincipalId	string	No	The ID of the CloudSSO identity. The ID can be used to filter access permissions. If you set `PrincipalType` to User, set `PrincipalId` to the ID of the CloudSSO user. If you set `PrincipalType` to Group, set `PrincipalId` to the ID of the CloudSSO group. Note You can use the type to filter access permissions only if you specify both PrincipalId and `PrincipalType`.``	u-00q8wbq42wiltcrk****
NextToken	string	No	The pagination token that is used in the next request to retrieve a new page of results. If this is your first time to call this operation, you do not need to specify the `NextToken` parameter. When you call this operation for the first time, if the total number of entries to return exceeds the value of `MaxResults`, the entries are truncated. Only the entries that match the value of `MaxResults` are returned, and the excess entries are not returned. In this case, the value of the response parameter `IsTruncated` is `true`, and `NextToken` is returned. In the next call, you can use the value of `NextToken` and maintain the settings of the other request parameters to query the excess entries. You can repeat the call until the value of `IsTruncated` becomes `false`. This way, all entries are returned.	K1c3o9K7pFxoTtxH1Nm7MMLb7zrDGvftYBQBPDVv7AD3a8yhRb3Mk8L9ivmN6bFSjfkZNTAg3h4****
MaxResults	integer	No	The maximum number of entries per page. Valid values: 1 to 20. Default value: 10.	10

Response parameters

Parameter	Type	Description	Example
	object	The returned results.
NextToken	string	The returned value of NextToken is a pagination token, which can be used in the next request to retrieve a new page of results. Note This parameter is returned only when the value of IsTruncated is `true`.``	K1c3o9K7pFxoTtxH1Nm7MMLb7zrDGvftYBQBPDVv7AD3a8yhRb3Mk8L9ivmN6bFSjfkZNTAg3h4****
RequestId	string	The request ID.	66898413-EB80-556D-9429-06FE3548F672
MaxResults	integer	The maximum number of entries returned per page.	10
TotalCounts	integer	The total number of entries returned.	1
IsTruncated	boolean	Indicates whether the queried entries are truncated. Valid values: true false	false
AccessAssignments	object []	The access permissions that are assigned.
AccessConfigurationName	string	The name of the access configuration.	ECS-Admin
TargetPathName	string	The path name of the task object in the resource directory.	rd-3G****/root/dev-test
PrincipalId	string	The ID of the CloudSSO identity.	u-00q8wbq42wiltcrk****
TargetPath	string	The path ID of the task object in the resource directory.	rd-3G**/r-Wm/114240524784**
CreateTime	string	The time when the access permissions were assigned.	2021-11-04T10:03:08Z
TargetType	string	The type of the task object. The value is fixed as RD-Account, which indicates the accounts in the resource directory.	RD-Account
PrincipalName	string	The name of the CloudSSO identity.	Alice
TargetName	string	The name of the task object.	dev-test
AccessConfigurationId	string	The ID of the access configuration.	ac-00jhtfl8thteu6uj****
PrincipalType	string	The type of the CloudSSO identity. Valid values: User Group	User
TargetId	string	The ID of the task object.	114240524784****

Examples

Sample success responses

JSONformat

{
  "NextToken": "K1c3o9K7pFxoTtxH1Nm7MMLb7zrDGvftYBQBPDVv7AD3a8yhRb3Mk8L9ivmN6bFSjfkZNTAg3h4****",
  "RequestId": "66898413-EB80-556D-9429-06FE3548F672",
  "MaxResults": 10,
  "TotalCounts": 1,
  "IsTruncated": false,
  "AccessAssignments": [
    {
      "AccessConfigurationName": "ECS-Admin",
      "TargetPathName": "rd-3G****/root/dev-test",
      "PrincipalId": "u-00q8wbq42wiltcrk****",
      "TargetPath": "rd-3G****/r-Wm****/114240524784****",
      "CreateTime": "2021-11-04T10:03:08Z",
      "TargetType": "RD-Account",
      "PrincipalName": "Alice",
      "TargetName": "dev-test",
      "AccessConfigurationId": "ac-00jhtfl8thteu6uj****",
      "PrincipalType": "User",
      "TargetId": "114240524784****"
    }
  ]
}

Error codes

For a list of error codes, visit the Service error codes.