Comment 14 for bug 1658641

It sounds like a possible solution would be to enhance the ``keystone-manage`` tool. What we could do is add a path to it that accepts a user_id, check to make sure it doesn't exist in the identity backend, and then forcibly removes any role assignments that user has.