The "under certain conditions" was to account for "the role must not have been granted to anyone on the tenant before".
Let's keep "may" but remove "under certain conditions" then:
=========================================
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana
Description:
The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=========================================
The "under certain conditions" was to account for "the role must not have been granted to anyone on the tenant before".
Let's keep "may" but remove "under certain conditions" then:
======= ======= ======= ======= ======= ======
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana
Description: ======= ======= ======= ======= ======
The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=======