Comment 8 for bug 1830536

Adding more details about the regression experienced.

The issue is affecting all users assigned "Admin" role in all domains and projects apart from the admin project.

Here is an extract of novarc file of the user with a token scoped to a project in LDAP domain.

#!/usr/bin/env bash
export OS_AUTH_URL=https://xxx.xxx.xxx:5000/v3
export OS_PROJECT_ID=<project_in_ldap_domain>
export OS_PROJECT_NAME="xxxx"
export OS_USER_DOMAIN_NAME="<ldap_domain_name>"
export OS_PROJECT_DOMAIN_ID="<ldap_domain_id>"
export OS_USERNAME=xxxx
export OS_PASSWORD=xxxx
export OS_REGION_NAME="xxxx"
export OS_IDENTITY_API_VERSION=3
export OS_CACERT=<path>

This user could create provider network before this fix but cannot anymore. There are NO issues creating internal networks by such a user.

Here is the error when trying to create provider network with such a user.

$ openstack network create --provider-network-type vlan --provider-segment 1111 --provider-physical-network physnet1 Test
Error while executing command: HttpException: 403, (((rule:create_network and rule:create_network:provider:physical_network) and rule:create_network:provider:network_type) and rule:create_network:provider:segmentation_id) is disallowed by policy