Comment 0 for bug 1433402

Two identity api have unauthorised issue with v3 policy. They are list_users_in_group and list_groups_for_user:

The domain admin should have permission to call these two api, but failed.

Repo Step:
* use v3 policy as config
1. Create domain
2. Create admin user 'userA' under domain (assign admin role to the user with domain scope)
3. Create a normal domain user 'userB' (with domain admin userA's token)
4. Create a normal domain group 'groupB' (with domain admin userA's token)
5. Add userB a member in groupB (with domain admin userA's token)
6. list_users_in_group with groupB's id as param (with domain admin userA's token), unauthorized
7. list_groups_for_user with userB's id as param (with domain admin userA's token), unauthorized