Issue

• In the official Openstack documentation at docs.openstack.org, we read that as of Rocky, we use the Admin, Member and Reader roles, and that these roles can scope to a Project, a Domain or the System. On our RHOSP16.1 deployment we see that indeed these 3 roles exist, and that the roles can have the Project, Domain or System scope, but that the permissions coming from that assignment don't reflect those scopes.

• To be precise: we have two domains: default and secondary_domain. If we create a project in the secondary_domain
  domain and we grant a user admin access on that project, he becomes a full Openstack administrator. If we grant the user admin access on the secondary_domain domain (but not on the project), or admin access on the system, the user basically has no rights.

• Are we correct in assuming that the new way of working with the Project / Domain / System scope is not yet in place on RHOSP16.1? In the past we had a custom role to grant people admin access only on their project - will we still need this in RHOSP16.1, to prevent that a project admin can also act as system admin on the full Openstack deployment?