Cloned from launchpad blueprint: https://blueprints.launchpad.net/keystone/+spec/domain-specific-roles Support the concept of domain specific roles that allows a domain administrators to better model the role usage, and map a role name that is meaningful to them onto global roles that are referenced in policy files.
So the OSP9 support in Keystone is there. What is missing is the CLI support. It was supposed to be done this release, but other priorities have bumped it. DOmains specific roles can be managed only via Curl or the Python API.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245