Administrator’s Guide

If you have been given admin privileges on either a Domain or a Project in Horizon, then this page is for you!

The OLRC uses a role-based access control model using Keystone V3 for providing authorization to domains and projects.

There are three roles:

  • admin: An administrator that can perform administrative operations such as creating projects and users. Inherits the member role.
  • member: A user with the member role will have read/write access to the containers within the project they are scoped to. Inherits the reader role.
  • reader: Same as member, but with read-only privileges.

Domain Administrators

A domain administrator has the permission to:

  • Create other domain administrators.
  • Create projects, groups and users.
  • Delete projects, groups and users.
  • Assign or revoke a user or group a role on any project.

When using Horizon, you must be using a project on which you also have the admin role. Change your project using the drop-down in the top left.

Project Administrators

A project administrator can:

  • Assign or revoke roles to/from users on projects they are an administrator of.

Create a project

  1. Select Identity → Projects in the left side-bar.
  2. Click “Create Project” in top-right.
  3. Give your project a name and optionally (but recommended) a description.
  4. You can optionally add users or groups to this project by selecting either “Project Members” or “Project Groups” respectively.

Create a user

  1. Select Identity → Users in the left side-bar.
  2. Click “Create User” in top-right.
  3. Fill in the blanks, and choose a Primary Project for this user. The Primary Project is required because Horizon always scopes your session to a specific project.
  4. Give the new user their username and password, and ask them to change their password on first login.


Groups are collections of users. They simplify user management, because you can assign a group to one or many projects. Then you simply have to add users to the group to give them that set of permissions.

Create a group
  1. Select Identity → Groups in the left side-bar.
  2. Click “Create Group” in top-right.
  3. Groups need only a name and description. We assign roles and add users later.
Add users to the group
  1. Select Identity → Groups in the left side-bar.
  2. Find the group in the group listing and click “Manage Members”.
  3. Click “Add Users”.
  4. Check all the users you want to add and click “Add Users” again.
Give a group a role on a project
  1. Select Identity → Projects in the left side-bar.
  2. Find the project in the project listing and select “Manage Members”.
  3. Click “Project Groups”.
  4. Click the + next to the groups you want to add and choose the appropriate role.