diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 33cbd084c1..984f271429 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -7,6 +7,14 @@
     "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
     "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
 
+    "user_domain_id": "domain_id:%(target.user.domain_id)s or domain_id:%(user.domain_id)s",
+    "project_domain_id": "domain_id:%(target.project.domain_id)s or domain_id:%(project.domain_id)s",
+    "groups_domain_id": "domain_id:%(group.domain_id)s or domain_id:%(target.group.domain_id)s",
+    "same_domain_id": "domain_id:%(domain_id)s or domain_id:%(target.domain.id)s",
+    "match_domain_id": "rule:same_domain_id or rule:user_domain_id or rule:project_domain_id or rule:groups_domain_id",
+    "domain_admin": "rule:admin_required and rule:match_domain_id",
+    "project_admin": "rule:admin_required and project_id:%(target.project.id)s",
+
     "default": "rule:admin_required",
 
     "identity:get_service": "rule:admin_or_cloud_admin",
@@ -34,11 +42,11 @@
     "identity:update_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "identity:delete_project": "rule:admin_required and domain_id:%(target.project.domain_id)s",
 
-    "identity:get_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "identity:list_users": "rule:admin_required and domain_id:%(domain_id)s",
-    "identity:create_user": "rule:admin_required and domain_id:%(user.domain_id)s",
-    "identity:update_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
-    "identity:delete_user": "rule:admin_required and domain_id:%(target.user.domain_id)s",
+    "identity:get_user": "rule:cloud_admin or rule:domain_admin",
+    "identity:list_users": "rule:cloud_admin or rule:domain_admin",
+    "identity:create_user": "rule:cloud_admin or rule:domain_admin",
+    "identity:update_user": "rule:cloud_admin or rule:domain_admin",
+    "identity:delete_user": "rule:cloud_admin or rule:domain_admin",
 
     "identity:get_group": "rule:admin_required and domain_id:%(target.group.domain_id)s",
     "identity:list_groups": "rule:admin_required and domain_id:%(domain_id)s",
@@ -63,12 +71,10 @@
     "identity:update_role": "rule:cloud_admin",
     "identity:delete_role": "rule:cloud_admin",
 
-    "admin_on_domain_target" : "rule:admin_required and domain_id:%(target.domain.id)s",
-    "admin_on_project_target" : "rule:admin_required and project_id:%(target.project.id)s",
-    "identity:check_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
-    "identity:list_grants": "rule:admin_on_project_target or rule:admin_on_domain_target",
-    "identity:create_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
-    "identity:revoke_grant": "rule:admin_on_project_target or rule:admin_on_domain_target",
+    "identity:check_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
+    "identity:list_grants": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
+    "identity:create_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
+    "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin or rule:project_admin",
 
     "admin_on_domain_filter" : "rule:admin_required and domain_id:%(scope.domain.id)s",
     "admin_on_project_filter" : "rule:admin_required and project_id:%(scope.project.id)s",
diff --git a/keystone/tests/test_v3_protection.py b/keystone/tests/test_v3_protection.py
index e8c1f78de6..a357daebc8 100644
--- a/keystone/tests/test_v3_protection.py
+++ b/keystone/tests/test_v3_protection.py
@@ -537,6 +537,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
 
         self._test_user_management(self.domainA['id'])
 
+    def test_user_management_by_cloud_admin(self):
+        # Test users management with a cloud admin. This user should
+        # be able to manage users in any domain.
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            domain_id=self.admin_domain['id'])
+
+        self._test_user_management(self.domainA['id'])
+
     def test_project_management(self):
         # First, authenticate with a user that does not have the project
         # admin role - shouldn't be able to do much.
@@ -578,6 +588,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
 
         self._test_grants('domains', self.domainA['id'])
 
+    def test_domain_grants_by_cloud_admin(self):
+        # Test domain grants with a cloud admin. This user should be
+        # able to manage roles on any domain.
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            domain_id=self.admin_domain['id'])
+
+        self._test_grants('domains', self.domainA['id'])
+
     def test_project_grants(self):
         self.auth = self.build_authentication_request(
             user_id=self.just_a_user['id'],
@@ -596,6 +616,16 @@ class IdentityTestv3CloudPolicySample(test_v3.RestfulTestCase):
 
         self._test_grants('projects', self.project['id'])
 
+    def test_project_grants_by_domain_admin(self):
+        # Test project grants with a domain admin. This user should be
+        # able to manage roles on any project in its own domain.
+        self.auth = self.build_authentication_request(
+            user_id=self.domain_admin_user['id'],
+            password=self.domain_admin_user['password'],
+            domain_id=self.domainA['id'])
+
+        self._test_grants('projects', self.project['id'])
+
     def test_cloud_admin(self):
         self.auth = self.build_authentication_request(
             user_id=self.domain_admin_user['id'],