<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<div class="">I have some questions about horizon and keystone policies :</div><div class=""><br class=""></div><div class=""> Im trying to achieve "domain_admin" role with the ability to add/remove/update projects in particular domain and add/update/remove users in the same domain (and of course be able to see instances, networks, etc. in this domain). </div><div class="">As described here <a href="http://lists.openstack.org/pipermail/openstack-discuss/2021-March/021105.html" class="">http://lists.openstack.org/pipermail/openstack-discuss/2021-March/021105.html</a> : "<span style="caret-color: rgb(83, 83, 83); white-space: pre-wrap;" class="">Horizon does not support the system-scoped token yet as of Victoria and coming Wallaby.” So there is no way to write json/not scope-based policy for horizon and scope-based policy for keystone</span>, because it will not work due to lack of scope information in horizon’s token?</div><div class=""><br class=""></div><div class="">So the question is how the policies should look like? Is it possible at all to achieve such „domain admin” role? How in different way allow one user to add/remove/update projects and add/update/remove users? Another thing is, that if I use something like this in horizon/keystone policy:</div><div class=""><br class=""></div><div class="">"identity:list_users_in_group": "rule:admin_required or (role:domain_admin and domain_id:%(domain_id)s)”</div><div class=""><br class=""></div><div class="">then (besides of that domain users) there is also admin account in the list (so I assume admin „belongs” to all domains) - how to prevent newly created domain_admin from seeing admin account and making changes to that account?</div><div class=""><br class=""></div><div class="">It really holds up my whole project, can you help mi guys?</div><div class=""><br class=""></div><div class="">Best regards</div><div class="">Adam</div></body></html>