Adjust 'identity:list_user_projects' for Horizon compatibility

Aligns the `identity:list_user_projects` policy rule with Keystone's defaults [1] by incorporating the `_or_owner` part of it. This enables Domain Managers to successfully log in using Horizon. [1] https://files.openstack.org/docs/developer/keystone/sample_files/sample_policy.html Signed-off-by: Markus Hentsch <129268441+markus-hentsch@users.noreply.github.com>
SovereignCloudStack · Nov 18, 2023 · b9b753a · b9b753a
1 parent 4fd661c
commit b9b753a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Standards/scs-0302-v1-domain-manager-role.md b/Standards/scs-0302-v1-domain-manager-role.md
@@ -155,7 +155,7 @@ The "`is_domain_managed_role`" rule definition is the only exception to this (se
 "identity:create_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
 "identity:update_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
 "identity:delete_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
-"identity:list_user_projects": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:list_user_projects": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or user_id:%(user_id)s or rule:admin_required"
 
 # allow domain managers to manage role assignments within their domain
 # (restricted to specific roles by the 'is_domain_managed_role' rule)