I would suggest domain admin [1] to create another users rather then granting any regular user to create another ones. As you would need not only create the user, but also be able to assign appropriate role to it, which should not be granted for members for sure.

I'm not actually sure about your usecase, but what regular _member_ can do, is to create application credentials [2], that can be used for authentication in keystone by clients (including usage of openrc/clouds.yaml files), but that will basically shadow user that has created these credentials. Though they can't be used to auth in Horizon if I'm not mistaken.

[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#domain-administrators

[2] https://docs.openstack.org/keystone/latest/user/application_credentials.html

вс, 2 апр. 2023 г., 01:33 James Leong <jamesleong123098@gmail.com>:

Hi all,
I have deploy openstack in yoga version using kolla-ansible. I noticed that only admin role can create a new user. Would it be possible to also allow user with __member__ role to create user in the respective project.

Best,
James