diff --git a/environments/kolla/files/overlays/keystone/policy.yaml b/environments/kolla/files/overlays/keystone/policy.yaml
new file mode 100644
index 00000000..8e5c5944
--- /dev/null
+++ b/environments/kolla/files/overlays/keystone/policy.yaml
@@ -0,0 +1,70 @@
+# classify domain managers with a special role
+"is_domain_manager": "role:domain-manager"
+
+# specify a rule that whitelists roles which domain admins are permitted
+# to assign and revoke within their domain
+"is_domain_managed_role": "'member':%(target.role.name)s"
+
+# allow domain admins to retrieve their own domain
+"identity:get_domain": "(rule:is_domain_manager and token.domain.id:%(target.domain.id)s) or rule:admin_required"
+
+# list_domains is needed for GET /v3/domains?name=... requests
+# this is mandatory for things like
+# `create user --domain $DOMAIN_NAME $USER_NAME` to correctly discover
+# domains by name
+"identity:list_domains": "rule:is_domain_manager or rule:admin_required"
+
+# list_roles is needed for GET /v3/roles?name=... requests
+# this is mandatory for things like `role add ... $ROLE_NAME`` to correctly
+# discover roles by name
+"identity:list_roles": "rule:is_domain_manager or rule:admin_required"
+
+# get_role is needed for GET /v3/roles/{role_id} requests
+# this is mandatory for the OpenStack SDK to properly process role assignments
+# which are issued by role id instead of name
+"identity:get_role": "(rule:is_domain_manager and rule:is_domain_managed_role) or rule:admin_required"
+
+# allow domain admins to manage users within their domain
+"identity:list_users": "(rule:is_domain_manager and token.domain.id:%(target.domain_id)s) or rule:admin_required"
+"identity:get_user": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:create_user": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:update_user": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:delete_user": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+
+# allow domain admins to manage projects within their domain
+"identity:list_projects": "(rule:is_domain_manager and token.domain.id:%(target.domain_id)s) or rule:admin_required"
+"identity:get_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
+"identity:create_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
+"identity:update_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
+"identity:delete_project": "(rule:is_domain_manager and token.domain.id:%(target.project.domain_id)s) or rule:admin_required"
+"identity:list_user_projects": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+
+# allow domain managers to manage role assignments within their domain
+# (restricted to specific roles by the 'is_domain_managed_role' rule)
+#
+# project-level role assignment to user within domain
+"is_domain_user_project_grant": "token.domain.id:%(target.user.domain_id)s and token.domain.id:%(target.project.domain_id)s and rule:is_domain_managed_role"
+# project-level role assignment to group within domain
+"is_domain_group_project_grant": "token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.project.domain_id)s and rule:is_domain_managed_role"
+# domain-level role assignment to group
+"is_domain_level_group_grant": "token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.domain.id)s and rule:is_domain_managed_role"
+# domain-level role assignment to user
+"is_domain_level_user_grant": "token.domain.id:%(target.user.domain_id)s and token.domain.id:%(target.domain.id)s and rule:is_domain_managed_role"
+"domain_manager_grant": "rule:is_domain_manager and (rule:is_domain_user_project_grant or rule:is_domain_group_project_grant or rule:is_domain_level_group_grant or rule:is_domain_level_user_grant)"
+"identity:check_grant": "rule:domain_manager_grant or rule:admin_required"
+"identity:list_grants": "rule:domain_manager_grant or rule:admin_required"
+"identity:create_grant": "rule:domain_manager_grant or rule:admin_required"
+"identity:revoke_grant": "rule:domain_manager_grant or rule:admin_required"
+"identity:list_role_assignments": "(rule:is_domain_manager and token.domain.id:%(target.domain_id)s) or rule:admin_required"
+
+# allow domain managers to manage groups within their domain
+"identity:list_groups": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s) or rule:admin_required"
+"identity:get_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s) or rule:admin_required"
+"identity:create_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s) or rule:admin_required"
+"identity:update_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s) or rule:admin_required"
+"identity:delete_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s) or rule:admin_required"
+"identity:list_groups_for_user": "(rule:is_domain_manager and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:list_users_in_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s) or rule:admin_required"
+"identity:remove_user_from_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:check_user_in_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
+"identity:add_user_to_group": "(rule:is_domain_manager and token.domain.id:%(target.group.domain_id)s and token.domain.id:%(target.user.domain_id)s) or rule:admin_required"
diff --git a/releasenotes/notes/domain-manager-policy-5ecb0bf8a6df4be0.yaml b/releasenotes/notes/domain-manager-policy-5ecb0bf8a6df4be0.yaml
new file mode 100644
index 00000000..0a8ad22f
--- /dev/null
+++ b/releasenotes/notes/domain-manager-policy-5ecb0bf8a6df4be0.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The policy of the domain-manager role from SCS standard 0302 v1 was added in the Keystone service.
+    More details on the domain-manager role:
+    https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0302-v1-domain-manager-role.md