Basically, we should make this bug as INVALID and revert the patch proposed. To achieve the scenario indicated in the bug description we should consider using keystone trust API. In this example, I will give Admin role to the demo user for the admin project so it will be able to execute some privileged operations. # admin env context $ openstack trust create --project admin --role Admin admin demo +--------------------+----------------------------------+ | Field | Value | +--------------------+----------------------------------+ | deleted_at | None | | expires_at | None | | id | 67081c80ccab4e20834a48ce002b9408 | | impersonation | False | | project_id | 5c2157c6ff4849faa2e586156acbb7d9 | | redelegation_count | 0 | | remaining_uses | None | | roles | Admin | | trustee_user_id | f110c3e37099409f8b3c1867840a79c7 | | trustor_user_id | 06b930776bfd4fa098867ca5fd8c9804 | +--------------------+----------------------------------+ # demo env context declare -x OS_AUTH_TYPE="password" declare -x OS_AUTH_URL="http://10.5.0.3:5000/v3" declare -x OS_AUTH_VERSION="3" declare -x OS_IDENTITY_API_VERSION="3" declare -x OS_PASSWORD="pass" declare -x OS_PROJECT_DOMAIN_NAME="admin_domain" declare -x OS_PROJECT_NAME="admin" declare -x OS_REGION_NAME="RegionOne" declare -x OS_USERNAME="demo" declare -x OS_USER_DOMAIN_NAME="admin_domain" $ openstack network list The request you have made requires authentication. (HTTP 401) (Request-ID: req-cc6212b3-24bc-4405-8830-e66f725a5d78) # Now using the trust-id previously created... $ unset OS_PROJECT_NAME $ unset OS_PROJECT_DOMAIN_NAME $ openstack --os-trust-id 67081c80ccab4e20834a48ce002b9408 network set --disable private $ openstack network show cloudadmin-owned-net -c admin_state_up -f value DOWN