Comment 25 for bug 968696

Cathing up on this bug, if I understand well, the initial issue was that there wasn't a way to grant admin-ness on a project without granting total control over all Openstack resources.

I think that this can now be achieved by defining appropriate roles and policy rules.

For instance we can create a `project_admin` role that only allows a project admin to grant the `Member` role on his own project to other users, with the following rule:
"identity:create_grant": "role:project_admin and project_id:%(target.project.id)s and 'Member':%(target.role.name)s"

Although the last condition needs the following patch, allowing to check context variables against constants during the policy enforcement phase : https://review.openstack.org/#/c/68176/