I am trying to wrap my head around identity v3, with domains, groups, etc.

One thing that confuses me, is the man-page for the openstack CLI. It provides me with the parameters:

--os-password <auth-password> and --os-username <auth-username> // of course

and

--os-domain-[name|id] --os-project-[name|id ]

Since a users (and groups?) are unique within domains, I will need to specify the domain the user belongs to, and which project I am "doing something with".

But then we have:

--os-project-domain-name --os-user-domain-name --os-default-domain*

And the confusion starts. Now I can specify the user and/or project domain again? And even the default domain?? When would I need this?

I have read texts about the fact that a token can only be either project scoped, or domain scoped (or unscoped), so I've got a feeling that this has something to do with that, but I am i dire need of clarifications. Especially:

• What is domain scoped tokens? This implies that you have roles assigned to users, for a domain, without a related project?

• What role assignments should be configured for my SuperMegaAdmin users, that should be possible to manage EVERYTHING.

• A domain specific admin user, that should only be able to manage (all) projects and users within a specific domain, should have which roles? Admin role in...all projects within the domain? Admin role in the domain-specific admin-project? Or only admin role in the specific domain?