Hi,


I repeat the my underline of a misunderstanding you are referring to: users are not existing within projects, but within domains.


Things you are asking in multiple independent questions are all being worked in the https://review.opendev.org/c/openstack/keystone/+/924132 (https://bugs.launchpad.net/keystone/+bug/2045974) right now.


Artem


On 7/15/24 11:47, Thamanna Farhath wrote:

Hi OpenStack Community,

I am working on a policy configuration to ensure that only owners of a project can delete users within their own project. Below is my current setup and the policy rules I have defined.

Current Setup

Policy Rules

yaml
"admin_required": "role:admin" "admin_or_owner": "rule:admin_required or (role:owner and project_id:%(target.user.project_id)s)" "identity:delete_user": "rule:admin_or_owner"

Scenario

With the above configuration, I aim to ensure that:


Thank you for your support.






Disclaimer :  The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.

 

E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."