Right now the nova-admin and nova-observer users are added to every project via a keystone hook.
With Train we should be able to have cloud-wide role scopes; maybe we can just give those users cloud-wide permissions and omit all the messing around with specific project membership?