---
features:
  - |
    [`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
    The role assignment API now supports the ``admin``, ``member``, and
    ``reader`` default roles across system-scope, domain-scope, and
    project-scope.
upgrade:
  - |
    [`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
    The role assignment API uses new default policies that make it more
    accessible to end users and administrators in a secure way. Please
    consider these new policies if your deployment overrides role
    assignment policies.
deprecations:
  - |
    [`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
    The role assignment ``identity:list_role_assignments`` policy now
    uses ``(role:reader and system_scope:all) or (role:reader and
    domain_id:%(target.domain.id)s)`` instead of ``rule:admin_required``.
    This new default automatically includes support for a read-only role
    and allows for more granular access to the role assignment API. Please
    consider this new default if your deployment overrides the role
    assignment policies.
security:
  - |
    [`bug 1750673 <https://bugs.launchpad.net/keystone/+bug/1750673>`_]
    The role assignment API now uses system-scope, domain-scope,
    project-scope, and default roles to provide better accessbility to
    users in a secure way.