Hi Dolph, I'd like you to look at the amended bp: https://blueprints.launchpad.net/keystone/+spec/domain-role-assignment Now that, with v3, keystone supports RBAC on its own api calls, I think this extension/clarification to the granting of roles on a domain makes a lot of sense - and, indeed, is needed to allow the effective creation of domain admins. Henry