Comment 5 for bug 1775227

Since Queens release, the default policy file shipped with horizon is based on individual back-end projects. keystone policy.json (and keystone default policy defined as policy-in-code) defines "rule:admin_required" as the default policy for "identity:create_role" and "identity:delete_role". Thus, it is not surprising that "Create Role" and "Delete Role" buttons are missing for a domain admin.

To use the domain admin feature, you need to customize policy.json file for keystone.

What keystone policy is used for horizon (and keystone)?