role based filtering for keys
diff --git a/plstackapi/core/admin.py b/plstackapi/core/admin.py
index 2365225..2ddc73b 100644
--- a/plstackapi/core/admin.py
+++ b/plstackapi/core/admin.py
@@ -181,13 +181,13 @@
     ]
     list_display = ['key', 'type', 'blacklisted', 'user']
 
-    def get_queryset(self, request):
-        # get keys user is allowed to see
-        qs = super(KeyAdmin, self).get_queryset(request)
-        if request.user.is_superuser:
-            return qs
-        # users can only see their own keys
-        return qs.filter(user=request.user)  
+    def queryset(self, request):
+        # admins can see all keys. Users can only see their own key.
+        if request.user.is_admin:
+            qs = super(KeyAdmin, self).queryset(request) 
+        else:
+            qs = Key.objects.filter(user=request.user)
+        return qs 
         
 class SliceAdmin(OSModelAdmin):
     fields = ['name', 'site', 'serviceClass', 'description', 'slice_url']
diff --git a/plstackapi/core/models/pluser.py b/plstackapi/core/models/pluser.py
index 6688cfe..d51572b 100644
--- a/plstackapi/core/models/pluser.py
+++ b/plstackapi/core/models/pluser.py
@@ -1,5 +1,6 @@
 import os
 import datetime
+from collections import defaultdict
 from django.db import models
 from plstackapi.core.models import PlCoreBase
 from plstackapi.core.models import Site
@@ -93,6 +94,19 @@
         # Simplest possible answer: Yes, always
         return True
 
+    def get_roles(self):
+        from plstackapi.core.models.site import SitePrivilege
+        from plstackapi.core.models.slice import SliceMembership
+
+        site_privileges = SitePrivilege.objects.filter(user=self)
+        slice_memberships = SliceMembership.objects.filter(user=self)
+        roles = defaultdict(list)
+        for site_privilege in site_privileges:
+            roles[site_privilege.site.login_base].append(site_privilege.role.role_type)
+        for slice_membership in slice_memberships:
+            roles[slice_membership.slice.name].append(slice_membership.role.role_type)
+        return roles   
+
     def save(self, *args, **kwds):
         if not hasattr(self, 'os_manager'):
             setattr(self, 'os_manager', OpenStackManager())