Hi Piotr, That is likely due to the enforce_scope configuration option being set as False by default [0] We’re not to a point yet where you can safely give someone the admin role on any project. [1][2] Kristi [0]. https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo-... [1]. https://governance.openstack.org/tc/goals/proposed/consistent-and-secure-rba... [2]. https://review.opendev.org/c/openstack/governance/+/815158 From: Piotr Misiak <piotrmisiak1984@gmail.com> Date: Wednesday, November 24, 2021 at 05:04 To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: [keystone][policy][ussuri] why I can create a domain Hi, Maybe a stupid question but I'm really confused. In my Ussuri cloud Keystone has a following policy for create_domain action (this is a default policy from Keystone code): "identity:create_domain": "role:admin and system_scope:all" I have a user which has "admin" role assigned in project "admin" in domain "default" - AKA cloud admin. The user does not have any roles assigned on system scope. Could someone please explain why this user is able to create a domain in the cloud? Looking at the policy rule he shouldn't or maybe I'm reading it in a wrong way? Is there any "backward compatibility" casting "cloud admin" role to "system_scope:all"? Please help Thanks Piotr