Comment 2 for bug 1264325

isn't listing domain and other essential operations should be available using token scoped to admin domain? Admin domain is a domain pointed in policy.json in the rule (old syntax)
"cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]],

The cons of this approach is that horizon doesn't support users who are assigned to domain. CLI for OpenStack doesn't support arguments to define scope for tenant in Havana, for IceHouse fix https://bugs.launchpad.net/python-openstackclient/+bug/1198171 was recently committed, not sure about what exactly is allowed now.