Until keystone defaults
``keystone.conf [oslo_policy] enforce_scope=True`` we really should
make sure we explicitly declare a system specific scope check in the
new system policies.
This is important because it prevents an authoritative regression when
operators upgrade. For example, if the identity:get_domain's current
check string is `rule:admin_require` and it's deprecated to be
`role:reader` with enforce_scope=True, then we've successfully exposed
more functionality to system users who have enforce_scope set to True.
If they don't, which is likely since enforce_scope defaults to False,
then it is possible for users with the reader role on a project to
access an API that was traditionally meant for only system
administrators. This is because oslo.policy will OR the old default
and the new default on upgrade to smooth the transition.
Note that the explicit scope checks in the actual check strings should
be removed once keystone sets enforce_scope = True by default. Until
then, we'll need to have something like this from opening up
administrative APIs.
Change-Id: I0e1f55dc6c18437b3356f9a2facfc95ecd1864e0