features:
  - |
    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
    The federated mapping API now supports the ``admin``, ``member``,
    and ``reader`` default roles.
upgrade:
  - |
    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
    The federated mapping API uses new default policies that
    make it more accessible to end users and administrators in a
    secure way. Please consider these new defaults if your deployment
    overrides federated mapping policies.
deprecations:
  - |
    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
    The federated mapping policies have been deprecated. The
    ``identity:list_mappings`` and ``identity:get_mapping`` policies now
    use ``role:reader and system_scope:all`` instead of ``rule:admin_required``.
    The ``identity:create_mapping``, ``identity:update_mapping``, and
    ``identity:delete_mapping`` policies now use ``role:admin and
    system_scope:all`` instead of ``rule:admin_required``.
    These new defaults automatically account for system-scope and support
    a read-only role, making it easier for system administrators to
    delegate subsets of responsibility without compromising security.
    Please consider these new defaults if your deployment overrides the
    federated mapping policies.
security:
  - |
    [`bug 1804521 <https://bugs.launchpad.net/keystone/+bug/1804521>`_]
    The federated mapping API now uses system-scope and default roles
    to provide better accessibility to users in a secure way.