Comment 2 for bug 1508997

Could [1] extended to security groups be fit for your purpose? A simpler solution would be allow admin-owned security groups to be visible to tenants, but what's tricky here is overlapping IP support, but at the same time they should not be allowed to be edited.

[1] http://specs.openstack.org/openstack/neutron-specs/specs/liberty/rbac-networks.html

To be discussed at the drivers meeting.