Hi, Looking at code from Keystone I found something that doesn't make sense to me. Looking at __validate_service_or_keystone_admin_token <https://github.com/openstack/keystone/blob/master/keystone/logic/service.py#L510>method Keystone-admin-role is valid only if it isn't associated to any tenant ( role_ref.tenant_id is None), so a user has Admin role for all tenants or none, is this the expected behavior? Is it possible to grant Admin role for specific tenant in any way? I think would be more flexible being able to grant role to specific tenant too, but I suppose there is a good reason for this, it isn't? Bye -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20110823/856f8f48/attachment.html>