The first role is colloquially referred to as a "global role" / "tenant-less role", which is a use case that our API supports (hence the example) but that keystone does not implement today (it requires a user-tenant pair in order to grant a role). -Dolph On Wed, Nov 14, 2012 at 1:32 PM, David Chadwick <d.w.chadwick at kent.ac.uk>wrote: > What is the difference between these two roles? One contains a tenant, the > other does not. > > <user id="u123" name="jqsmith"> > <roles> > <role id="100" name="compute:admin"/> > <role id="101" name="object-store:admin" tenantId="t1000"/> > </roles> > </user> > > regards > > David > > ______________________________**_________________ > OpenStack-dev mailing list > OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org> > http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev> > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20121115/ded2cd96/attachment.html>