diff --git a/manifests/roles/admin.pp b/manifests/roles/admin.pp
index e632b07d7..a9c2a0784 100644
--- a/manifests/roles/admin.pp
+++ b/manifests/roles/admin.pp
@@ -53,6 +53,11 @@
 #   Optional.  Domain of the admin user
 #   Defaults to undef (undef will resolve to class keystone $default_domain)
 #
+# [*target_admin_domain*]
+#   Optional.  Domain where the admin user will have the $admin_role
+#   Defaults to undef (undef will not associate the $admin_role to any
+#   domain, only project)
+#
 # [*admin_project_domain*]
 #   Optional.  Domain of the admin tenant
 #   Defaults to undef (undef will resolve to class keystone $default_domain)
@@ -85,11 +90,12 @@ class keystone::roles::admin(
   $admin_user_domain      = undef,
   $admin_project_domain   = undef,
   $service_project_domain = undef,
+  $target_admin_domain    = undef,
 ) {
 
   include ::keystone::deps
 
-  $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain]))
+  $domains = unique(delete_undef_values([ $admin_user_domain, $admin_project_domain, $service_project_domain, $target_admin_domain]))
   keystone_domain { $domains:
     ensure  => present,
     enabled => true,
@@ -131,6 +137,15 @@ class keystone::roles::admin(
       roles          => $admin_roles,
     }
     Keystone_user_role["${admin}@${admin_tenant}"] -> File<| tag == 'openrc' |>
+
+    if $target_admin_domain {
+      keystone_user_role { "${admin}@::${target_admin_domain}":
+        ensure      => present,
+        user_domain => $admin_user_domain,
+        roles       => $admin_roles,
+      }
+      Keystone_user_role["${admin}@::${target_admin_domain}"] -> File<| tag == 'openrc' |>
+    }
   }
 
 }
diff --git a/releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml b/releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml
new file mode 100644
index 000000000..385ac4c7e
--- /dev/null
+++ b/releasenotes/notes/add_target_admin_domain-272f97b06e476495.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Implement `bug 1589933
+    <https://bugs.launchpad.net/puppet-keystone/+bug/1589933>`__ so now
+    one associate the admin to admin_role for an entire domain if it
+    uses the target_admin_domain parameter in the auth.pp class.
diff --git a/spec/classes/keystone_roles_admin_spec.rb b/spec/classes/keystone_roles_admin_spec.rb
index f55bd721a..4f294b540 100644
--- a/spec/classes/keystone_roles_admin_spec.rb
+++ b/spec/classes/keystone_roles_admin_spec.rb
@@ -192,5 +192,27 @@ describe 'keystone::roles::admin' do
       }
     end
    it { is_expected.to contain_keystone_domain('admin_domain') }
-   end
+  end
+
+  describe 'when specifying a target admin domain' do
+    let :params do
+      {
+        :email                  => 'foo@bar',
+        :password               => 'ChangeMe',
+        :admin_user_domain      => 'admin_domain',
+        :admin_project_domain   => 'admin_domain',
+        :target_admin_domain    => 'admin_domain_target'
+      }
+    end
+    let(:pre_condition) { 'file { "/root/openrc": tag => ["openrc"]}' }
+    it { is_expected.to contain_keystone_domain('admin_domain_target') }
+    it { is_expected.to contain_keystone_user_role('admin@::admin_domain_target')
+             .with(
+               :roles          => ['admin'],
+               :ensure         => 'present',
+               :user_domain    => 'admin_domain',
+             )
+             .that_comes_before('File[/root/openrc]')
+    }
+  end
 end