From: Ben Nemec <openstack@nemebean.com> On 8/28/19 7:24 AM, Tavasti Markku EXT wrote:
Is there any possibility to limit domain admin rights to give only _/member/_ roles?
I suspect the answer may be no, unfortunately. This is one of the longstanding limitations with roles - admin means admin of everything. There's work underway to improve that, but I think the policy system in Queens just wasn't designed for this sort of use case.
Actually I found out how to restrict rights of domadmin so that she can't add any other roles than _member_ Key is to add this to policy rules for identity:create_grant : whatever_your_conditions_are and '_member_':%(target.role.name)s Seems to be working. This page is most likely useful for anyone trying to do same: https://pedro.alvarezpiedehierro.com/2019/02/06/openstack-domain-project-adm... --Tavasti For Internal Use Only