diff --git a/components/site-workflows/sensors/sensor-keystone-automation-user-upsert.yaml b/components/site-workflows/sensors/sensor-keystone-automation-user-upsert.yaml
index a1230dc9a..13571c680 100644
--- a/components/site-workflows/sensors/sensor-keystone-automation-user-upsert.yaml
+++ b/components/site-workflows/sensors/sensor-keystone-automation-user-upsert.yaml
@@ -61,6 +61,9 @@ spec:
                               tenant-readwrite)
                                 openstack role add --user "${SVC_ID}" --domain default --inherited member
                                 ;;
+                              tenant-admin)
+                                openstack role add --user "${SVC_ID}" --domain default admin
+                                ;;
                               infra-read)
                                 openstack role add --user "${SVC_ID}" --project-domain infra --project baremetal reader
                                 ;;
diff --git a/docs/deploy-guide/openstack-automation-users.md b/docs/deploy-guide/openstack-automation-users.md
index 6087b54e7..2be326136 100644
--- a/docs/deploy-guide/openstack-automation-users.md
+++ b/docs/deploy-guide/openstack-automation-users.md
@@ -15,6 +15,7 @@ Possible roles are:
 
 - `tenant-read` which allows read access to tenant resources
 - `tenant-readwrite` which allows read and write access to tenant resources
+- `tenant-admin` which has full admin access to tenant resources, including project creation
 - `infra-read` which allows read access to infrastructure resources
 - `infra-readwrite` which allows read and write access to infrastructure resources