diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index f7759f0b88..b8eef0b072 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -94,10 +94,11 @@
     "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s",
     "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s",
     "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s",
+    "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)",
 
     "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
     "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
-    "identity:create_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
+    "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)",
     "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
     "identity:list_role_inference_rules": "rule:cloud_admin",
     "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id",
diff --git a/keystone/tests/unit/test_v3_protection.py b/keystone/tests/unit/test_v3_protection.py
index 27794e7ff1..501cd88d5d 100644
--- a/keystone/tests/unit/test_v3_protection.py
+++ b/keystone/tests/unit/test_v3_protection.py
@@ -1937,3 +1937,32 @@ class IdentityTestImpliedDomainSpecificRoles(IdentityTestv3CloudPolicySample):
         self.delete('/roles/%s/implies/%s'
                     % (self.appadmin_role['id'], self.appdev_role['id']),
                     token=self.admin_token)
+
+    def test_forbidden_role_implication_from_different_domain(self):
+        domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
+        self.resource_api.create_domain(domain2['id'], domain2)
+
+        role2 = unit.new_role_ref(domain_id=domain2['id'])
+        implied = self.role_api.create_role(role2['id'], role2)
+
+        self.put('/roles/%s/implies/%s'
+                 % (self.appdev_role['id'], implied['id']),
+                 token=self.admin_token,
+                 expected_status=http_client.FORBIDDEN)
+
+    def test_allowed_role_implication_different_domains_as_cloud_admin(self):
+        self.auth = self.build_authentication_request(
+            user_id=self.cloud_admin_user['id'],
+            password=self.cloud_admin_user['password'],
+            project_id=self.admin_project['id'])
+
+        domain2 = unit.new_domain_ref(domain_id=uuid.uuid4().hex)
+        self.resource_api.create_domain(domain2['id'], domain2)
+
+        role2 = unit.new_role_ref(domain_id=domain2['id'])
+        implied = self.role_api.create_role(role2['id'], role2)
+
+        self.put('/roles/%s/implies/%s'
+                 % (self.appdev_role['id'], implied['id']),
+                 auth=self.auth,
+                 expected_status=http_client.CREATED)