Comment 7 for bug 1933332

I looked over the keystone docs and did some google'ing and I did not find anywhere that keystone specifically calls out to enable "enforce_scope" to avoid this outside of the releasenotes, so this is definitely an area for improvement.

I imagine a warning or note could be added to the roles documentation in keystone, perhaps here[0].

This may need to be propagated across all the services documentation as well since it needs to be configured in each service's conf.

[0] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html