In keystone you can create any role, but I don't think it is going to work with v2 api. With v3 it will work
Sample policy.json
"is_cloud_admin": "role:identity.cloud_admin",
"is_domain_admin": "role:identity.domain_admin",
"cloud_admin": "rule:is_cloud_admin ",
"service_role": "role:identity.service",
"domain_admin_or_owner": "(rule:is_domain_admin and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"identity:get_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
"identity:list_projects": "rule:cloud_admin or (rule:domain_admin and domain_id:%(domain_id)s)",
"identity:list_user_projects": "rule:owner or (rule:domain_admin and domain_id:%(domain_id)s)",
"identity:create_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(project.domain_id)s)",
"identity:update_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
"identity:delete_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
1) In keystone create 2 roles identity.cloud_admin and idenity.domain_admin
2) Using v3 api create 2 domains and couple of v3 projects/users in each domain
3) Assing the role domain_admin to one user in each domain
4) The domain admin can only list the projects in his domain. Domain admin in another domain can't do anything with the project in another domain
5) If you have another user with role "identity.cloud_admin", he can do operations in both the domains
Note: I have used the role name as 'identity.cloud_admin" instead of standard "admin" . All the Openstack services consider the role with name "admin" as admin. So no way to distinguish between swfit admin and nova admin. Here you know for sure that identity.cloud_admin is keystone admin. Also I have prefixed the role name with namespae to avoid collision.