> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
> Use this file to discover all available pages before exploring further.
# Identity & Access CLI Reference
> Complete openstack CLI commands for managing projects, users, roles, groups, domains, application credentials, and tokens in Xloud Identity.
## Overview
The `openstack` identity commands manage projects, users, roles, groups, domains, application credentials, and authentication tokens. Admin-scoped commands require the `admin` role.
**Prerequisites**
* CLI installed and authenticated — see [CLI Setup](/cli-setup)
* Admin role required for user, project, role, and domain management
* Source your `openrc.sh` before running admin commands
***
## Projects
```bash title="List projects" theme={null}
openstack project list
openstack project list --domain Default
```
```bash title="Create project" theme={null}
openstack project create \
--domain Default \
--description "Production workloads" \
my-project
```
```bash title="Show project" theme={null}
openstack project show my-project
```
```bash title="Rename project" theme={null}
openstack project set my-project --name new-project-name
```
```bash title="Enable / disable project" theme={null}
openstack project set --enable my-project
openstack project set --disable my-project
```
```bash title="Delete project" theme={null}
openstack project delete my-project
```
***
## Users
```bash title="List users" theme={null}
openstack user list
openstack user list --domain Default
```
```bash title="Create user" theme={null}
openstack user create \
--domain Default \
--password-prompt \
--email user@example.com \
john.doe
```
```bash title="Create user with project" theme={null}
openstack user create \
--project my-project \
--password PASSWORD \
john.doe
```
```bash title="Show user" theme={null}
openstack user show john.doe
```
```bash title="Update user name and email" theme={null}
openstack user set john.doe \
--name john.smith \
--email john.smith@example.com
```
```bash title="Set password" theme={null}
openstack user set --password-prompt john.doe
```
```bash title="Enable / disable user" theme={null}
openstack user set --enable john.doe
openstack user set --disable john.doe
```
```bash title="Delete user" theme={null}
openstack user delete john.doe
```
Before deleting a user account, remove all role assignments for that user. A user with active role assignments cannot be deleted.
***
## Roles
```bash title="List all roles" theme={null}
openstack role list
```
```bash title="Show role details" theme={null}
openstack role show member
```
```bash title="Create a custom role" theme={null}
openstack role create network-operator
```
```bash title="Create a domain-scoped role" theme={null}
openstack role create --domain my-domain billing-reader
```
```bash title="Delete a role" theme={null}
openstack role delete network-operator
```
***
## Role Assignments
```bash title="Assign role to user on a project" theme={null}
openstack role add \
--user john.doe \
--project my-project \
member
```
```bash title="Assign role to user at domain scope" theme={null}
openstack role add \
--user john.doe \
--domain my-domain \
member
```
```bash title="Assign role to a group on a project" theme={null}
openstack role add \
--group operators \
--project my-project \
member
```
```bash title="List all role assignments (with names)" theme={null}
openstack role assignment list --names
```
```bash title="List assignments for a specific user" theme={null}
openstack role assignment list \
--user john.doe \
--names
```
```bash title="List assignments on a project" theme={null}
openstack role assignment list \
--project my-project \
--names
```
```bash title="Remove role from user on a project" theme={null}
openstack role remove \
--user john.doe \
--project my-project \
member
```
```bash title="Remove group role assignment" theme={null}
openstack role remove \
--group operators \
--project my-project \
member
```
***
## Implied Roles (Role Hierarchies)
Implied roles let a "prior" role automatically grant an "implied" role. Assignment is one-directional — prior → implied only.
```bash title="Create an implied role rule" theme={null}
openstack implied role create admin --implied-role member
```
```bash title="List all implied role rules" theme={null}
openstack implied role list
```
```bash title="Delete an implied role rule" theme={null}
openstack implied role delete admin --implied-role member
```
***
## Domains
```bash title="List domains" theme={null}
openstack domain list
```
```bash title="Create domain" theme={null}
openstack domain create \
--description "Engineering department" \
engineering
```
```bash title="Show domain" theme={null}
openstack domain show engineering
```
```bash title="Enable / disable domain" theme={null}
openstack domain set --enable engineering
openstack domain set --disable engineering
```
```bash title="Delete domain" theme={null}
openstack domain delete engineering
```
***
## Groups
```bash title="List groups" theme={null}
openstack group list
```
```bash title="Create group" theme={null}
openstack group create \
--domain Default \
--description "Cloud operators" \
operators
```
```bash title="Add user to group" theme={null}
openstack group add user operators john.doe
```
```bash title="Check group membership" theme={null}
openstack group contains user operators john.doe
```
```bash title="List users in group" theme={null}
openstack group list --user john.doe
```
```bash title="Remove user from group" theme={null}
openstack group remove user operators john.doe
```
```bash title="Delete group" theme={null}
openstack group delete operators
```
***
## Application Credentials
```bash title="List application credentials" theme={null}
openstack application credential list
```
```bash title="Create application credential" theme={null}
openstack application credential create \
--role member \
--description "CI/CD pipeline credential" \
ci-pipeline
```
```bash title="Create with expiry" theme={null}
openstack application credential create \
--role member \
--expiration "2026-12-31T00:00:00" \
temp-credential
```
```bash title="Create with restricted access rules" theme={null}
openstack application credential create \
--role member \
--access-rules '[{"service": "compute", "method": "GET", "path": "/v2.1/servers"}]' \
readonly-compute
```
```bash title="Show application credential" theme={null}
openstack application credential show ci-pipeline
```
```bash title="Delete application credential" theme={null}
openstack application credential delete ci-pipeline
```
***
## Tokens
```bash title="Issue a token" theme={null}
openstack token issue
```
```bash title="Issue a token (project-scoped)" theme={null}
openstack token issue \
--os-project-name my-project \
--os-domain-name Default
```
```bash title="Revoke a token" theme={null}
openstack token revoke
```
***
## Service Catalog & Endpoints
```bash title="List all endpoints" theme={null}
openstack endpoint list
```
```bash title="List public endpoints only" theme={null}
openstack endpoint list --interface public
```
```bash title="Show endpoint details" theme={null}
openstack endpoint show
```
```bash title="List registered services" theme={null}
openstack service list
```
***
## Next Steps
Create custom roles, build role hierarchies, and manage role assignments
Create and manage non-interactive credentials for automation and CI/CD
Manage projects, quotas, and membership
Define per-service policy rules for custom roles