Comment 9 for bug 1010547

I'm good for opening it up - it's how the roles are implemented and supported by the individual services. The keystone project has a blueprint that Liem (from HP) is working on now to gather up a recommended set of policy.json files and related roles to provide a layout with explicit per-service administration functions. (https://blueprints.launchpad.net/keystone/+spec/document-deployment-suggestions-policy)

For Alessio, I'd recommend making that a rule in policy.json rather than in the code itself, as that makes it configurable by policy rather than hard coded, but I'll defer to whatever Brian suggests here.