member can access to all services as well:
If a User Has the member
Role β What Can They Access?
π Access is determined by two things:
-
β What role the user has (e.g.,
member
,reader
,admin
) -
β In which project the role is granted
So, if a user has the member
role in a project β like:
That user:
-
β Can access any service as long as the service respects the
member
role -
β Does not need a separate user per service
member
Role
The member
role is intended for regular project users β like developers, operators, or end users who need to work with cloud resources.
β
What member
Can Do:
-
Launch/manage instances (Nova)
-
Create/delete volumes (Cinder)
-
Upload/download images (Glance)
-
Create/manage networks and ports (Neutron)
-
Access most features within the scope of their project
β What member
Cannot Do:
-
View or modify other projects
-
Create new users, roles, or trusts
-
Access system-level or admin-only API endpoints
-
Manage service-level configuration or quota overrides
-
See resources owned by other projects
πΉ admin
Role
The admin
role gives elevated privileges within a project and (depending on policy config) can also allow system-level administration.
β
What admin
Can Do:
Everything member
can do plus:
-
View/manage all resources in the project (regardless of owner)
-
Update quotas for the project
-
Access admin-only API extensions
-
Configure trusted images or flavors
-
Sometimes access cross-project or global data (depending on policy)
π₯ Optionally: System Scope
In newer OpenStack RBAC (if enabled), you can assign system-scoped admin role:
This gives the user full platform-level administrative privileges, across all projects.