Hi,

I am using Openstack IceHouse (3). I have a multi domain environment. I have a domain called "dom1" where I have a domain admin called as "dom1admin" and two users a and b with member roles. I have a VMWare provisioning environment from Openstack. There is a project called "proj-vmware" where these users can request for instances.

I see a behavior where

(a) user a requests for an instance in proj-vmware and user b is able to delete or modify it. (b)dom1admin request for an instance in proj-vmware and either of a or b is able to delete it. (c)the same thing happens with cinder as well for volumes.

I understand that this is the default behavior. Can we change this behavior to the following ?

(a) domain admin dom1admin can see / modify or delete any resources (b)only owners (for users in member role) can see/modify/delete their own resources.

If this can be done through nova policy.json, please help me to do it. I donot want to create any new roles unless that is the only way to achieve this feat.