There is a lot of discussion about policy. I've attempted to pull the majority of the work into a single document that explains the process in a step-by-step manner: http://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ Its really long, so I won't bother reposting the whole article here. Instead, I will post the links to the topic on Gerrit. https://review.openstack.org/#/q/topic:dynamic-policy,n,z There is one additional review worth noting: https://review.openstack.org/#/c/133855/ Which is for "private groups of roles" specific to a domain. This is related, but not part of the critical path for the things I wrote above.