I want to be able to define policies such that a user who is designated an admin for a given project can perform some "advanced" functions that a regular user within that project should not be allowed to perform.

The "out of box" rules like:

"admin_or_owner":  "role:admin or project_id:%(project_id)s",

match if the user has the "admin" role for any project.

I'm failing to find a way to define a rule that matches only if the user has a role assigned for the specific project owning the resource targeted by the API call. I'm envisioning something like:

"context_is_project_admin":  "role:admin:%(tenant_id)s",

or:

"context_is_project_admin":  "role:project_admin:%(tenant_id)s",

but I've not found any documented way to do this. Does one exist?