Add details to bootstrap docs for system role assignments

In queens we added support for `keystone-manage bootstrap` to
populate a system admin role assignment:

  I6b7196a28867d9a699716c8fef2609d608a5b2a2

The end-user/deployer facing documentation doesn't mention this though
and it should because it ensures deployers have a user for system-level
APIs.

Change-Id: I07616c1470cd89130250cc89635a508f48c2be06

1 files changed, 6 insertions, 4 deletions

diff --git a/doc/source/admin/bootstrap.rst b/doc/source/admin/bootstrap.rst
index 51142b370..888ab6112 100644
--- a/doc/source/admin/bootstrap.rst
+++ b/doc/source/admin/bootstrap.rst
@@ -73,10 +73,12 @@ Verbosely, keystone can be bootstrapped with:
         --bootstrap-internal-url http://localhost:5000
 
 This will create an ``admin`` user with the ``admin`` role on the ``admin``
-project. The user will have the password specified in the command. Note that
-both the user and the project will be created in the ``default`` domain. By not
-creating an endpoint in the catalog users will need to provide endpoint
-overrides to perform additional identity operations.
+project and the system. This allows the user to generate project-scoped and
+system-scoped tokens which ensures they have full RBAC authorization. The user
+will have the password specified in the command.  Note that both the user and
+the project will be created in the ``default`` domain. By not creating an
+endpoint in the catalog users will need to provide endpoint overrides to
+perform additional identity operations.
 
 This command will also create ``member`` and ``reader`` roles. The ``admin``
 role implies the ``member`` role and ``member`` role implies the ``reader``