--- features: - | [`bug 1844194 `_] [`bug 1844193 `_] The project tags API now supports the ``admin``, ``member``, and ``reader`` default roles. upgrade: - | [`bug 1844194 `_] [`bug 1844193 `_] The project tags API now uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides the project tags policies. deprecations: - | [`bug 1844194 `_] [`bug 1844193 `_] The project tags API policies have been deprecated. The ``identity:get_project_tag`` and ``identity:list_project_tags`` policies now use ``(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s`` instead of ``rule:admin_required or project_id:%(target.project.id)s``. The ``identity:update_project_tags``, ``identity:delete_project_tags``, ``identity:delete_project_tag``, and ``identity:create_project_tag`` policies now use ``(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)`` instead of ``rule:admin_required``. These new defaults automatically account for system-scope and support a read-only role, making it easier for system administrators to delegate subsets of responsibility with compromising security. Please consider these new defaults if your deployment overrides the project tag policies. security: - | [`bug 1844194 `_] [`bug 1844193 `_] The project tags API now uses system-scope and default roles to provide better accessibility to users in a secure way.