In keystone you can create any role, but I don't think it is going to work with v2 api. With v3 it will work

    Sample policy.json

  "is_cloud_admin": "role:identity.cloud_admin",
    "is_domain_admin": "role:identity.domain_admin",
    "cloud_admin": "rule:is_cloud_admin ",
    "service_role": "role:identity.service",
    "domain_admin_or_owner": "(rule:is_domain_admin and domain_id:%(target.token.user.domain.id)s) or rule:owner",

    "identity:get_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
    "identity:list_projects": "rule:cloud_admin or (rule:domain_admin and domain_id:%(domain_id)s)",
    "identity:list_user_projects": "rule:owner or (rule:domain_admin and domain_id:%(domain_id)s)",
    "identity:create_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(project.domain_id)s)",
    "identity:update_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
    "identity:delete_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",

  1)   In  keystone create 2 roles  identity.cloud_admin and idenity.domain_admin
  2)   Using v3 api create 2 domains and  couple of v3 projects/users in each domain
  3)   Assing the role domain_admin to  one user in each domain

  4)  The domain admin can only list the projects in his domain.  Domain admin in another domain can't do anything with the project in another domain
  5)  If you  have another user with role "identity.cloud_admin", he can do operations in  both the domains

Note: I have used the role name as 'identity.cloud_admin" instead of standard "admin" . All the Openstack services consider the role with name "admin" as admin. So no way to distinguish between swfit admin and nova admin. Here you know for sure that identity.cloud_admin is keystone admin. Also I have prefixed the role name with namespae to avoid collision.