I don't think you should report this as a bug. V3cloudsample policy file is just for a reference. You could easily modify it to meet your needs. For e.g. you could do:
"project_admin_required": "role:admin and project_id:%(target.user.default_project_id)s " "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id or rule: project_admin_required", "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule: project_admin_required", "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule: project_admin_required" Caution: The above rules work when you assign a default project while creating the user. ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1328052 Title: Using the v3cloudsample policy file, project admins can't administer users Status in OpenStack Identity (Keystone): Invalid Bug description: Project admins should be allowed to create, list, edit and delete users in their domains. Here is the rule from the v3cloudsample policy file: "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id", "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", However when I try it I get a "forbidden" error, and I can only use credentials of an admin on the domain to perform these actions. To recreate: 1) Authenticate as the cloud admin 2) Create a domain 3) Create a user in the new domain and give it the "admin" role on the domain 4) Authenticate as the domain admin 5) Create a project in the domain 6) Create a user and give it the "admin" role on the project 7) Authenticate as the project admin 8) Try to create more users for your project, or edit/delete users in your project => forbidden To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1328052/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp