Comment 9 for bug 1545732

Stuart, There are some nuances to this whole scenario that are tricky. From a pure security perspective, owner is better than owner or admin. Because I thought that under v2 keystone you are an admin no matter what project you are an admin for. But if we can assert that in general you trust other admins to do the right thing, then this rule works and isn't that different than how most projects treat admin. The only reason I brought up the protected thing (which does deviate from images and therefore is a point of confusion) is that I may own a set of properties and whether or not I actually want to let regular users from other projects add tags or properties may not always be a static rule and you could control spamming via the protected. However, since we don't have sharing like images, this might just be a bad idea. This starts getting more theoretical though, so perhaps it is better to go with a sensical, simpler rule now and owner or admin makes quite a bit of sense.