Comment 18 for bug 1299146

Also, users does not actually contained within a tenant. Users are contained within a domain. User linked to a tenant/project via role assignment. For example, userX is granted the Operator role for tenantY. However, the way the ACL is structured today, role is not part of the consideration when creating a cross-tenant ACL. For example, grant read access to containerZ for anyone who as Reseller role for tenantY.