Comment 3 for bug 1895848

Apologies, I wasn't aware that it was possible to update the ACLs for an existing secret through the Barbican API:

https://docs.openstack.org/barbican/latest/api/reference/acls.html#patch-v1-containers-uuid-acl

I've added an item to the PTG agenda to discuss using this to enable admin only move operations:

https://etherpad.opendev.org/p/nova-wallaby-ptg