Having played with the policies and rules within glance's policy.json file I have not had any success using the rule, "project_id:%(project_id)" to restrict api usage. Without changing user/role/tenant I have had success using project_id:%(project_id)" with cinder. I cannot find anything to suggest glance's policy engine cannot parse the rule but would like confirmation. Can anyone verify this?. This is using icehouse, glance 0.12.0 ~Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140502/63bafb1f/attachment.html>