Policies do not support multi domain setups

> How's the project thinking about that idea?

The individual projects? Keystone? oslo.policy? Which project?

Keystone has been talking about admin-ness not being properly scoped for a while. [1] Meanwhile, if you look up domains, there are good examples of using domains in a policy rule. [2]

Do you want OSA to configure multi-domain clouds with configuration and create admins per-domain? If so, you're asking that in a very round-about manner and I'm not certain that's OSA's purpose (which is to deploy OpenStack). Yes part of deploying OpenStack is to create the service users in Keystone, but it really doesn't go much further than that. Something extending OSA could do this work. I'm not convinced OSA needs to support this though (outside maybe allowing for domains to be created with it's keystone library)

[1]: https://bugs.launchpad.net/keystone/+bug/968696
[2]: https://wiki.openstack.org/wiki/Domains

Keystone at first and most likely everywhere.
I'm primarily asking to roll out the policies around cloud-admin (as example) to make the adoption easier.

The project provides the default policy files and has decided to do that to reduce technical debt carried. There are movements across OpenStack projects to adjust how the policies work and it would be best to participate in this process if you wish the defaults to change.

As this bug is written it implies that this is an OSA bug, but it is not a bug. This is implemented by design and the project provides facilities for the deployer to override the defaults. If anything I can see how a deployer may wish to copy their own whole policy files from the deployment host to the target host instead of using the config_override mechanism. I would support a request for that as a new feature.