Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/prerequisite-user-role-assignment.

Description:

In openstack, the admin can assign a set of roles to users when they are added to a project . For instance, admin creates a user  Alice , adds Alice to project DEMO and assign "member" role to Alice. Later on, admin can add more roles or delete roles from Alice. However, roles are usually dependent on each other. In other words, in order to assign one role to a user, the user must be currently in several prerequisite roles (e.g., in order to assign Alice to "manager" role, Alice must be currently assigned with "areaDirector" role). Similarly, conflict roles prevent admin to assign those roles to users at the same time (e.g., If the admin wants to assign Alice to "manager" role, Alice should NOT be currently assigned with any roles in {"director", "DeptLeader"}).
Those restrictions are useful in conflict handling and is currently not provided in Openstack. Since role creating has been provided, this proposal provides the mechanism (GUI ) to specify dependencies and conflicts among globally created roles in each project. That means, there could be different restrictions different projects. When admin assigns roles to users, those restrictions are enforced. 

Specification URL (additional information):

None