As 'joeuser' in tenant/project 'joetenant' I can create a 'direct' neutron port and boot a nova instance with the just created port. The neutron network is owned by 'joetenant' However, using the same user/tenant when I create another instance with the same resource types using heat, stack creation fails with 'forbidden' I am guessing that 'joeuser' needs to be added to a special heat group?? or the heat user needs to be added to the joetenant user. Any suggestions ? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160814/20292db4/attachment.html>