--- features: - | [`bug 1750660 `_] The project API now supports the ``admin``, ``member``, and ``reader`` default roles across system-scope, domain-scope, and project-scope. upgrade: - | [`bug 1750660 `_] The project API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides project policies. deprecations: - | [`bug 1750660 `_] The project policies have been deprecated. The ``identity:get_project`` policy now uses ``(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s`` instead of ``rule:admin_required or project_id:%(target.project.id)s``. The ``identity:list_projects`` policy now uses ``(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s`` instead of ``rule:admin_required``. The ``identity:list_user_projects`` policy now uses ``(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s`` instead of ``rule:admin_or_owner``. The ``identity:create_project`` now uses ``(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)`` instead of ``rule:admin_required``. These new defaults automatically include support for a read-only role and allow for more granular access to project APIs, making it easier for system and domain administrators to delegate authorization, safely. Please consider these new defaults if your deployment overrides the project policies. security: - | [`bug 1750660 `_] The project API now uses system-scope, domain-scope, project-scope and default roles to provide better accessibility to users in a secure way.