I have a single machine DevStack (Mitaka) setup. I have enabled multi domain functionality and am able to create multiple domains in my setup through Horizon. I created 2 domains, Domain A and Domain B. In Domain A, I created two projects PRJ_A1 and PRJ_A2 similarly in Domain B I created PRJ_B1 and PRJ_B2. In each project I created one instance namely INST_A1_1, INST_A2_1, INSTB1_1, INST_B2_1.

Following networks were created in projects :

PRJ_A1 has a private network NET_1 (subnet 10.0.0.0)

PRJ_A2 has a public shared network NET_2 (subnet 120.20.20.0)

PRJ_A3 has a private shared network NET_3 (subnet 30.0.0.0)

PRJ_A4 public network NET_4 (subnet 140.40.40.0)

NET_2 and NET_3 are shared only with project PRJ_A1 through RBAC

Domain A has following users and roles:

Bob admin role for PRJ_A1 and PRJ_A2

Nick member role for PRJ_A1

Domain B has following users and roles: Ben admin role for PRJ_A1

John member role for PRJ_A1

Following Security Groups were created and attached to instances :

SG1 for INST_A1_1

SG2 for INST_A2_1

SG3 for INST_A3_1

SG4 for INST_A4_1

I have following question:

Can a user with admin role modify a shared network of project defined in another domain? For example can Bob (admin role in PRJ_A1 and Domain A) modify/delete ports on network NET_3 which belongs to a PRJ_B1 of domain B?