diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index db71e4664..628b032dc 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -138,6 +138,10 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*keystone_enable_member*]
+#   (Optional) Whether _member_ role is managed or not (required for Horizon).
+#   Defaults to hiera('keystone_enable_member', false)
+#
 class tripleo::profile::base::keystone (
   $admin_endpoint_network         = hiera('keystone_admin_api_network', undef),
   $bootstrap_node                 = hiera('bootstrap_nodeid', undef),
@@ -166,6 +170,7 @@ class tripleo::profile::base::keystone (
   $barbican_notification_topics   = [],
   $extra_notification_topics      = [],
   $step                           = Integer(hiera('step')),
+  $keystone_enable_member         = hiera('keystone_enable_member', false),
 ) {
   if $::hostname == downcase($bootstrap_node) {
     $sync_db = true
@@ -280,6 +285,11 @@ class tripleo::profile::base::keystone (
 
   if $step == 3 and $manage_roles {
     include ::keystone::roles::admin
+    if $keystone_enable_member {
+      keystone_role { '_member_':
+        ensure => present,
+      }
+    }
   }
 
   if $step == 3 and $manage_endpoint {
diff --git a/releasenotes/notes/keystone_member-70065ba9269c4bfd.yaml b/releasenotes/notes/keystone_member-70065ba9269c4bfd.yaml
new file mode 100644
index 000000000..f1f786417
--- /dev/null
+++ b/releasenotes/notes/keystone_member-70065ba9269c4bfd.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Allow to let puppet-keystone managing _member_ role which is required
+    by Horizon. Can be enabled with keystone_enable_member parameter (disabled
+    by default.)