It looks like the list role assignments call is protected by the following rule [0]:
"rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter"
Even the admin_on_domain_filter rule requires the user to have the admin role. Can you verify the domain admin actually has the admin role specified?
[0] https://github.com/openstack/keystone/blob/856bd73826d36731c611b6479d204816cde0b2e9/etc/policy.v3cloudsample.json#L123
It looks like the list role assignments call is protected by the following rule [0]:
"rule:cloud_admin or rule:admin_ on_domain_ filter or rule:admin_ on_project_ filter"
Even the admin_on_ domain_ filter rule requires the user to have the admin role. Can you verify the domain admin actually has the admin role specified?
[0] https:/ /github. com/openstack/ keystone/ blob/856bd73826 d36731c611b6479 d204816cde0b2e9 /etc/policy. v3cloudsample. json#L123