Comment 4 for bug 1970932

Jeremy is correct, the work to get to a consistent role-based access control model is still being worked on across OpenStack.

The "admin" project and "admin" role have a special meaning with RBAC in keystone, it is indeed a cloud admin role regardless of what domain they exist under. This is part of the old behavior that keystone had worked off of and it's something that was left over to avoid breaking users policies. If you are wanting to have more granular access I recommend renaming the project/role to something other than "admin", for example "test-admin" should show more of the expected results.