Link to the Keystone role documentation

The oslo.policy docs on writing custom policy checks use things like
the admin role without explaining where it comes from. This change
adds a link to the Keystone docs that explain which roles are created
by default and what they provide access to.

Change-Id: I70c01ad88344edd2db384da8b24ba0238764a8ec

2 files changed, 8 insertions, 0 deletions

diff --git a/doc/source/admin/policy-json-file.rst b/doc/source/admin/policy-json-file.rst
index 8d918d8..b0c3b96 100644
--- a/doc/source/admin/policy-json-file.rst
+++ b/doc/source/admin/policy-json-file.rst
@@ -76,6 +76,10 @@ administrators can create new users in the Identity database:
 
     "identity:create_user" : "role:admin"
 
+.. note:: ``admin`` is a built-in default role in Keystone. For more
+          details and other roles that may be available, see the
+          `Keystone documentation on default roles. <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
+
 You can limit APIs to any role. For example, the Orchestration service
 defines a role named ``heat_stack_user``. Whoever has this role is not
 allowed to create stacks:
diff --git a/doc/source/admin/policy-yaml-file.rst b/doc/source/admin/policy-yaml-file.rst
index 0018f8a..1cef8fe 100644
--- a/doc/source/admin/policy-yaml-file.rst
+++ b/doc/source/admin/policy-yaml-file.rst
@@ -71,6 +71,10 @@ administrators can create new users in the Identity database:
 
     "identity:create_user" : "role:admin"
 
+.. note:: ``admin`` is a built-in default role in Keystone. For more
+          details and other roles that may be available, see the
+          `Keystone documentation on default roles. <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
+
 You can limit APIs to any role. For example, the Orchestration service
 defines a role named ``heat_stack_user``. Whoever has this role is not
 allowed to create stacks: