keystone/releasenotes/notes/bug-1805403-c003627a64768716.yaml

---
features:
  - |
    [`bug 1805403 <https://bugs.launchpad.net/keystone/+bug/1805403>`_]
    The project API now supports the ``admin``, ``member``, and
    ``reader`` default roles.    
upgrade:
  - |
    [`bug 1805403 <https://bugs.launchpad.net/keystone/+bug/1805403>`_]
    The project API uses new default policies that make it more
    accessible to end users and administrators in a secure way. Please
    consider these new defaults if your deployment overrides
    project policies.    
deprecations:
  - |
    [`bug 1805403 <https://bugs.launchpad.net/keystone/+bug/1805403>`_]
    The project policies have been deprecated. The
    ``identity:get_project`` policy now uses ``(role:reader and
    system_scope:all) or project_id:%(target.project.id)s`` instead of
    ``rule:admin_required or project_id:%(target.project.id)s``. The
    ``identity:list_projects`` policy now uses ``role:reader and
    system_scope:all`` instead of ``rule:admin_required``. The
    ``identity:create_project``, ``identity:update_project``, and
    ``identity:delete_project`` policies now use ``role:admin and
    system_scope:all`` instead of ``rule:admin_required``. The
    ``identity:list_user_projects`` policy now uses ``(role:admin and
    system_scope:all) or user_id:%(target.user.id)s`` instead of
    ``rule:admin_or_owner``. These new defaults automatically account
    for system-scope and support a read-only role, making it easier
    for system administrators to delegate subsets of responsibility
    without compromising security. Please consider these new defaults
    if your deployment overrides the project policies.    
security:
  - |
    [`bug 1805403 <https://bugs.launchpad.net/keystone/+bug/1805403>`_]
    The project API now uses system-scope and default roles to
    provide better accessibility to users in a secure way.