---
features:
  - |
    [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
    [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
    The system assignment API now supports the ``admin``, ``member``,
    and ``reader`` default roles across system-scope, domain-scope,
    and project-scope.
upgrade:
  - |
    [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
    [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
    The system assignment API uses new default policies that make it more
    accessible to end users and administrators in a secure way. Please
    consider these new defaults if your deployment overrides system
    assignment policies.
deprecations:
  - |
    [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
    [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
    The system assignment policies have been deprecated. The
    ``identity:list_system_grants_for_user`` and
    ``identity:check_system_grant_for_user`` policies now use
    ``role:reader and system_scope:all`` instead of
    ``rule:admin_required``. The
    ``identity:create_system_grant_for_user`` and
    ``identity:revoke_system_grant_for_user`` policies now use
    ``role:admin and system_scope:all`` instead of
    ``rule:admin_required``. These new defaults automatically include
    support for a read-only role and allow for more granular access to
    the system assignment API, making it easier for administrators to
    delegate authorization, safely. Please consider these new defaults
    if your deployment overrides the system assignment APIs.
security:
  - |
    [`bug 1805368 <https://bugs.launchpad.net/keystone/+bug/1805368>`_]
    [`bug 1750669 <https://bugs.launchpad.net/keystone/+bug/1750669>`_]
    The system assignment API now uses system-scope, domain-scope,
    project-scope, and default roles to provide better accessibility
    to users in a secure way.