So this is expected behaviour from heat. For heat, 'admin' is one with 'admin' role in 'admin' project. We use 'is_admin_project' from the context in heat policy.json, which is set based on the admin_project in keystone.conf and it's backward compatible(is_admin_project falls back to True with oslo.context when there is no admin project defined). Therefore, 'service list' is available only to the 'admin' and not a user with admin role in any project.
We do use a 'project_admin' for certain stuff in our policy.json to make it compatible with other project policies. So if it's an issue for horizon then we can probably change it.
So this is expected behaviour from heat. For heat, 'admin' is one with 'admin' role in 'admin' project. We use 'is_admin_project' from the context in heat policy.json, which is set based on the admin_project in keystone.conf and it's backward compatible( is_admin_ project falls back to True with oslo.context when there is no admin project defined). Therefore, 'service list' is available only to the 'admin' and not a user with admin role in any project.
We do use a 'project_admin' for certain stuff in our policy.json to make it compatible with other project policies. So if it's an issue for horizon then we can probably change it.