keystone/releasenotes/notes/bug-1804522-00df902cd2d74ee3.yaml

---
features:
  - |
    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
    The federated service provider API now supports the ``admin``, ``member``,
    and ``reader`` default roles.    
upgrade:
  - |
    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
    The federated service provider API uses new default policies that
    make it more accessible to end users and administrators. Please consider
    these new defaults if your deployment overrides federated service provider
    policies.    
deprecations:
  - |
    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
    The federated service provider policies have been deprecated. The
    ``identity:get_service_provider`` and
    ``identity:list_service_providers`` policies now use ``role:reader
    and system_scope:all`` instead of ``rule:admin_required``. The
    ``identity:create_service_provider``,
    ``identity:update_service_provider``, and
    ``identity:delete_service_provider`` policies now use ``role:admin
    and system_scope:all`` instead of ``rule:admin_required``. These
    new defaults automatically include support for a read-only role
    and allow for more granular access to service provider APIs,
    making it easier for system administrators to delegate
    authorization. Please consider these new defaults if your
    deployment overrides the federated service provider policies.    
security:
  - |
    [`bug 1804522 <https://bugs.launchpad.net/keystone/+bug/1804522>`_]
    The federated service provider API now uses system-scope and default
    roles to provide better accessibility to users in a secure way.