--- features: - | [`bug 1805406 `_] The user API now supports the ``admin``, ``member``, and ``reader`` default roles. upgrade: - | [`bug 1805406 `_] The ``GET /v3/users/{user_id`` API now properly returns an ``HTTP 403 Forbidden`` as opposed to ``HTTP 404 Not Found`` if the calling user doesn't have authorization to call the API. This applies consistent authorititive policy checks to the API. The user API uses new default policies that make it more accessible to end users and administrators in a secure way. Please consider these new defaults if your deployment overrides user policies. deprecations: - | [`bug 1805406 `_] The user policies have been deprecated. The ``identity:get_user`` now uses ``(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s`` instead of ``rule:admin_or_owner``. The ``identity:list_users`` policy now uses ``(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)`` instead of ``rule:admin_required``. The ``identity:create_user``, ``identity:update_user``, and ``identity:delete_user`` policies now use ``(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)`` instead of ``rule:admin_required``. These new defaults automatically account for system-scope, domain-scope, and support a read-only role, making it easier for system and domain administrators to delegate subsets of responsibility without compromising security. Please consider these new defaults if your deployment overrides the user policies. security: - | [`bug 1805406 `_] The user API now uses system-scope and default roles to provide better accessibility to users in a secure way.