How to define project-admin role?
I want to be able to define policies such that a user who is designated an admin for a given project can perform some "advanced" functions that a regular user within that project should not be allowed to perform.
The "out of box" rules like:
"admin_or_owner": "role:admin or project_id:%(project_id)s",
match if the user has the "admin" role for any project.
I'm failing to find a way to define a rule that matches only if the user has a role assigned for the specific project owning the resource targeted by the API call. I'm envisioning something like:
"context_is_project_admin": "role:admin:%(tenant_id)s",
or:
"context_is_project_admin": "role:project_admin:%(tenant_id)s",
but I've not found any documented way to do this. Does one exist?