I have some questions about horizon and keystone policies :

 Im trying to achieve "domain_admin" role with the ability to add/remove/update projects in particular domain and add/update/remove users in the same domain (and of course be able to see instances, networks, etc. in this domain). 

As described here  http://lists.openstack.org/pipermail/openstack-discuss/2021-March/021105.html :  "Horizon does not support the system-scoped token yet as of Victoria and coming Wallaby.” So there is no way to write json/not scope-based policy for horizon and scope-based policy for keystone, because it will not work due to lack of scope information in horizon’s token?

So the question is how the policies should look like? Is it possible at all to achieve such „domain admin” role? How in different way allow one user to add/remove/update projects and add/update/remove users? Another thing is, that if I use something like this in horizon/keystone policy:

"identity:list_users_in_group": "rule:admin_required or (role:domain_admin and domain_id:%(domain_id)s)”

then (besides of that domain users) there is also admin account in the list (so I assume admin „belongs” to all domains) - how to prevent newly created domain_admin from seeing admin account and making changes to that account?

It really holds up my whole project, can you help mi guys?

Best regards

Adam