As that seems to be the only reason we currently need a global admin.
For other operations that do not have a scope on the object/API to check, policy should default to using the admin tenant configured when setting up the server in the authtoken section of the config file.
domain =default,
project = admin
That can be overridden in a production deployment, but matches what devstack currently does.
Note that fixing the scoping is dependent on
https:/ /bugs.launchpad .net/keystone/ +bug/1476264
As that seems to be the only reason we currently need a global admin.
For other operations that do not have a scope on the object/API to check, policy should default to using the admin tenant configured when setting up the server in the authtoken section of the config file.
domain =default,
project = admin
That can be overridden in a production deployment, but matches what devstack currently does.