According to your steps, you grant a group role, as you said, domain admin won't be part of this group, so the behavior is correct. If you want to domain admin still with this role, you should grant the role for user and not just for group.
** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1590805 Title: Revoking "admin" role from a group invalidates user token Status in OpenStack Identity (keystone): Invalid Bug description: Steps to reproduce 1. Login as domain admin 2. Create a new group and grant "admin" role to it. 3. Group will be empty with no users added to it.(Domain admin won't be part of this group) 4. Now revoke "admin" role from this group. 5. Token for domain admin will be invalidated and he/she has to login again. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1590805/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp