From 26e0d47cc59f88941d7e7fa46bff5f06ef437ee4 Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Mon, 12 Apr 2021 15:16:58 +0200
Subject: [PATCH] Allow system_scope personas (SYSTEM_ADMIN) to create router

Related-blueprint: bp/secure-rbac-roles
Change-Id: I8a851b17f3a398f1318800b5a97eb66330c91ce5
---
 neutron/conf/policies/router.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/neutron/conf/policies/router.py b/neutron/conf/policies/router.py
index 88c33e94d9c..dca7badeeca 100644
--- a/neutron/conf/policies/router.py
+++ b/neutron/conf/policies/router.py
@@ -40,7 +40,7 @@ rules = [
     policy.DocumentedRuleDefault(
         name='create_router',
         check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['project'],
+        scope_types=['system', 'project'],
         description='Create a router',
         operations=ACTION_POST,
         deprecated_rule=policy.DeprecatedRule(