diff --git a/cinder/context.py b/cinder/context.py
index cd375d2b212..08274fe76fe 100644
--- a/cinder/context.py
+++ b/cinder/context.py
@@ -102,7 +102,7 @@ class RequestContext(context.RequestContext):
         # when policy.check_is_admin invokes request logging
         # to make it loggable.
         if self.is_admin is None:
-            self.is_admin = policy.check_is_admin(self.roles)
+            self.is_admin = policy.check_is_admin(self.roles, self)
         elif self.is_admin and 'admin' not in self.roles:
             self.roles.append('admin')
 
diff --git a/cinder/policy.py b/cinder/policy.py
index 02dc263f2b2..551f11128c0 100644
--- a/cinder/policy.py
+++ b/cinder/policy.py
@@ -70,9 +70,11 @@ def enforce(context, action, target):
                              action=action)
 
 
-def check_is_admin(roles):
-    """Whether or not roles contains 'admin' role according to policy setting.
+def check_is_admin(roles, context=None):
+    """Whether or not user is admin according to policy setting.
 
+       Can use roles or user_id from context to determine if user is admin.
+       In a multi-domain configuration, roles alone may not be sufficient.
     """
     init()
 
@@ -81,6 +83,11 @@ def check_is_admin(roles):
     # attempts to apply.  Since our credentials dict does not include a
     # project_id, this target can never match as a generic rule.
     target = {'project_id': ''}
-    credentials = {'roles': roles}
+    if context is None:
+        credentials = {'roles': roles}
+    else:
+        credentials = {'roles': context.roles,
+                       'user_id': context.user_id
+                       }
 
     return _ENFORCER.enforce('context_is_admin', target, credentials)