| context_is_admin: 'role:admin or role:administrator' |
| 'compute:create': 'rule:admin_or_owner' |
| 'compute:create:attach_network': |
| 'volume:delete': 'rule:admin_or_owner' |
| create_subnet: 'rule:admin_or_network_owner' |
| 'get_network:queue_id': 'rule:admin_only' |
| publicize_image: "role:admin" |
| admin_or_token_subject: 'rule:admin_required or rule:token_subject' |
| context_is_admin: 'role:admin and is_admin_project:True' |
| deny_stack_user: 'not role:heat_stack_user' |
| 'cloudformation:ValidateTemplate': 'rule:deny_everybody' |
| 'cloudformation:DescribeStackResources': |
| segregation: 'rule:context_is_admin' |
| 'telemetry:get_resource': |