In a large implementation, there can be many users each having some level of access to a shared pool of resources. Not all users need that much access though and there are cases where access must be restricted further. V3 introduces policies and that works for restricting access to certain capabilities (only a user with the role "admin" or group "foo" can create server in nova, etc). Policies bloat up though if they need to get down the resource level (only joe can delete server "ABC").
This session is to discuss possible solutions to provide fine-grained access control to OpenStack services