The horizon interface enables/displays actions based on the
keystonev3_policy.json file provided. The keystonev3_policy.json file
included by the charm has rules for various actions that depend on the
target object's domain id (user, group, project). The buttons displayed
for creating and deleting the objects (shown above the tables) are also
based on these policy rules but no target object exists because they are
bound to the table and not a specific target object.
This patch changes some of the policy rules to create/delete users,
projects, and groups to not require the target object's domain_id. This
is safe to do because the table is shown within the context of the
target domain_id already. Additionally, the actual ability to alter
objects is controlled by the actual policy installed in Keystone and not
the Horizon UI.
Without this change, actions such as "Create User" will only show for
a user who is a cloud admin and not for any domain admins (even if the
domain admin is allowed to perform the action via the API or CLI).