Comment 1 for bug 1630434

It looks like the list role assignments call is protected by the following rule [0]:

  "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter"

Even the admin_on_domain_filter rule requires the user to have the admin role. Can you verify the domain admin actually has the admin role specified?

[0] https://github.com/openstack/keystone/blob/856bd73826d36731c611b6479d204816cde0b2e9/etc/policy.v3cloudsample.json#L123