Hi!
I am trying to create ‘domain admin’ role which has permissions to create projects and users, and manage user roles in projects within own domain. I have pretty ok working set of policies done, but there is one critical
security hole: domain admin can add ‘admin’ role to user, and after it user has superuser privileges. Is there any possibility to limit domain admin rights to give only _member_ roles?
I am working in Queens-based Redhat OSP13.
Tavasti, Openstack admin