--- features: - | [`bug 1805368 `_] [`bug 1750669 `_] The system assignment API now supports the ``admin``, ``member``, and ``reader`` default roles across system-scope, domain-scope, and project-scope. The grant API now supports the ``admin``, ``member``, and ``reader`` default roles for system-scope. upgrade: - | [`bug 1805368 `_] [`bug 1750669 `_] The system assignment and grant APIs uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides system assignment policies. deprecations: - | [`bug 1805368 `_] [`bug 1750669 `_] The system assignment and grant policies have been deprecated. The ``identity:list_system_grants_for_user``, ``identity:check_system_grant_for_user``, ``identity:list_system_grants_for_group``, and ``identity:check_system_grant_for_group`` policies now use ``role:reader and system_scope:all`` instead of ``rule:admin_required``. The ``identity:create_system_grant_for_user``, ``identity:revoke_system_grant_for_user``, ``identity:create_system_grant_for_group``, and ``identity:revoke_system_grant_for_group`` policies now use ``role:admin and system_scope:all`` instead of ``rule:admin_required``. The ``identity:check_grant`` and ``identity:list_grants`` policies now use ``role:reader and system_scope:all`` instead of ``rule:admin_required``. The ``identity:create_grant`` and ``identity:revoke_grant`` policies now use ``role:admin and system_scope:all`` instead of ``rule:admin_required``. These new defaults automatically include support for a read-only role and allow for more granular access to the system assignment and grant APIs, making it easier for administrators to delegate authorization, safely. Please consider these new defaults if your deployment overrides the system assignment APIs. security: - | [`bug 1805368 `_] [`bug 1750669 `_] The system assignment API now uses system-scope, domain-scope, project-scope, and default roles to provide better accessibility to users in a secure way. The grant API now uses system-scope and default to provide better accessbility to operators.