Comment 3 for bug 1915308

I don't think it allows attacker or malicious users to operate security groups. Even if horizon does not honor RBAC policies and shows create/delete buttons to GUI users, actual operations cannot be done because the policies are enforced by neutron. Users can see these buttons but actual operations would fail when calling the neutron API.
Thus, I think it is not a vulnerability but an improvement requrement of horizon UI. I agree that this can be public.