Keystone does not have the concept of least privilege for such operations. The notion of roles with capabilities in Keystone is something that maybe can be addressed in Folsom Jason From: openstack-bounces+jason.rouault=hp.com at lists.launchpad.net [mailto:openstack-bounces+jason.rouault=hp.com at lists.launchpad.net] On Behalf Of livemoon Sent: Friday, March 16, 2012 2:46 AM To: openstack at lists.launchpad.net Subject: [Openstack] How many Role name can be used in Keystone and what is the use of each role? I find the roles ( admin, KeystoneAdmin, KeystoneServiceAdmin) are created in devstack. I think each role has it rights to use functions or services. Now I want to know how many roles in keystone can be created and what are use of them . For example, I only want a role only can create/delete users in keystone. How to do it? Thanks -- 非淡薄无以明志,非宁静无以致远 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120316/383e0236/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4854 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120316/383e0236/attachment.bin>