Users from other domains which should be matched by cloud_admin rule cannot list domains or switch domain context

On Yoga, the out-of-the-box 'admin' user can list all domains and switch context into other domains using Horizon.

As I understand it, the default Keystone policy file allows this by way of the cloud_admin rule defined as follows:

"admin_required": "role:Admin",
"cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:<id of 'admin_domain'> or project_id:<id of services project>)"

With the admin_project_name and admin_project_domain_name defined inside keystone.conf as 'admin' and 'admin_domain' respectively.

If I create a new domain 'newdomain' and inside that domain a new user 'newdomainuser' and then assign the newdomainuser the 'admin' role on either or both the admin project or admin domain then when I sign into Horizon with 'newdomainuser' I can only see 'newdomain' in Identity -> Domains and I cannot switch context to other domains.

If I configure an rc file for 'newdomainuser' with OS_PROJECT_DOMAIN_ID and OS_PROJECT_ID to match the 'admin' project from 'admin_domain' domain then via the cli I can list domains and perform operations as expected.

How can we allow users in domains other than the out-of-the-box 'admin_domain' get full 'cloud_admin' functionality in Horizon?