Comment 3 for bug 1783659

I looked into this quite a bit tonight and it looks like this was a misunderstanding on my part of how a Domain Admin should be defined - specifically without a default project defined for the Domain Admin user. Correct me if I'm wrong, though.

It does not explain the difference I saw between Horizon's access controls and the OpenStack CLI, though.

This is an example of what I used to successfully create a Domain Admin account that does NOT have access to see other projects or domains:

# Run as Cloud Admin
domain create TestDomain
user create --domain TestDomain --password test TestDomainAdmin
role add --domain TestDomain --user TestDomainAdmin admin

I can then create a project with this user as well as a user associated with the project in the new domain:

# Run as Domain Admin - logged-in using domain-scoped token with the OpenStackClient
# Must specify domain ID, not domain name (authorization error otherwise)?
project create --domain 492537d206754d0b9ccde50067df6d03 TestProject
project list --domain 492537d206754d0b9ccde50067df6d03
user create --domain 492537d206754d0b9ccde50067df6d03 --password test TestDomainUser
role add --domain 492537d206754d0b9ccde50067df6d03 --user e207992708c1426faa21779c730f73d1 _member_
role add --project 59c88317254044d6956b88255d16cc11 --user e207992708c1426faa21779c730f73d1 _member_

Eric