Hello,

I want to create multi-domain environment. Domain admins will have role "DomainAdmin".

From keystone view: DomainAdmin have same rights as admin(done by "admin_required": "role:admin or role:DomainAdmin" in policy.json

It was solved this way because other projects(like nova or neutron) doesn't care about domains and I don't want domain admins to be treated like global admins. This users should only have privileges to create projects&users in their own domain.

And all would be fine, but "DomainAdmin" can assign "admin" role to anyone which causes a high security risk.

Maybe someone know any way, to prevent this situation? I would be very grateful for any help