config/puppet-manifests/src/modules/openstack/templates/keystone-policy.json.erb

{
    "admin_required": "role:admin or is_admin:1",
    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s",
    "admin_or_owner": "rule:admin_required or rule:owner",
    "token_subject": "user_id:%(target.token.user_id)s",
    "admin_or_token_subject": "rule:admin_required or rule:token_subject",
    "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject",

    "protected_domains": "'heat':%(target.domain.name)s or 'magnum':%(target.domain.name)s",
    "protected_projects": "'admin':%(target.project.name)s or 'services':%(target.project.name)s",
    "protected_admins": "'admin':%(target.user.name)s or 'heat_admin':%(target.user.name)s or 'dcmanager':%(target.user.name)s",
    "protected_roles": "'admin':%(target.role.name)s or 'heat_admin':%(target.user.name)s",
    "protected_services": [["'aodh':%(target.user.name)s"],
                           ["'barbican':%(target.user.name)s"],
                           ["'ceilometer':%(target.user.name)s"],
                           ["'cinder':%(target.user.name)s"],
                           ["'glance':%(target.user.name)s"],
                           ["'heat':%(target.user.name)s"],
                           ["'neutron':%(target.user.name)s"],
                           ["'nova':%(target.user.name)s"],
                           ["'patching':%(target.user.name)s"],
                           ["'sysinv':%(target.user.name)s"],
                           ["'mtce':%(target.user.name)s"],
                           ["'magnum':%(target.user.name)s"],
                           ["'murano':%(target.user.name)s"],
                           ["'panko':%(target.user.name)s"],
                           ["'gnocchi':%(target.user.name)s"],
                           ["'fm':%(target.user.name)s"]],

    "identity:delete_service": "rule:admin_required and not rule:protected_services",

    "identity:delete_domain": "rule:admin_required and not rule:protected_domains",

    "identity:delete_project": "rule:admin_required and not rule:protected_projects",

    "identity:delete_user": "rule:admin_required and not (rule:protected_admins or rule:protected_services)",
    "identity:change_password": "rule:admin_or_owner and not rule:protected_services",

    "identity:delete_role": "rule:admin_required and not rule:protected_roles",
}