From ad13367fdf907531ae463715ee7dbbed313ab830 Mon Sep 17 00:00:00 2001
From: Ghanshyam <gmaan@ghanshyammann.com>
Date: Thu, 8 May 2025 15:08:08 -0700
Subject: [PATCH] Remove SYSTEM scoped alias for RBAC

System scoped has been dropped form the heat
policies
- I943b3c1ce021cc05445b73fbc342b8386cf5bf6a

but its aliais are not removed. Clean up them
to avoid any confusion of using system scope rules.

Change-Id: Ic909dd5d4b5eaefbfe93aee7a07bd1654dac1075
---
 heat/policies/base.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/heat/policies/base.py b/heat/policies/base.py
index 3aef7ec2f3..6d27b2d894 100644
--- a/heat/policies/base.py
+++ b/heat/policies/base.py
@@ -19,8 +19,6 @@ RULE_DENY_EVERYBODY = 'rule:deny_everybody'
 RULE_ALLOW_EVERYBODY = 'rule:allow_everybody'
 
 # Check strings that embody common personas
-SYSTEM_ADMIN = 'role:admin and system_scope:all'
-SYSTEM_READER = 'role:reader and system_scope:all'
 PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
 PROJECT_READER = 'role:reader and project_id:%(project_id)s'
 
@@ -44,8 +42,7 @@ rules = [
     policy.RuleDefault(
         name="context_is_admin",
         check_str=(
-            "(role:admin and is_admin_project:True) OR "
-            "(" + SYSTEM_ADMIN + ")"
+            "(role:admin and is_admin_project:True)"
         ),
         description="Decides what is required for the 'is_admin:True' check "
         "to succeed."),