Compute Resource Granular RBAC?

Problem:
We utilize the “VMWare” compute resource for our builds. We also dole out “edit host” and “edit parameter” to various hostgroups via roles, to allow various operations groups to set parameters on “thier hosts”
We recently discovered that with edit host, comes the ability to edit “everything” up to and including disk/cpu/memory. We fcound this out the “hard way” when someone bumped their RAM “too much”

I know i “could” disassociate the VM - but hten i lose the ability to power/console - which our ops guys DO use.

We want to restrict just “compute resource edits” but im not seeing privs that go that granular?

Maybe im just looking for confirmation on what im seeing (edit is all or nothing) or maybe there is another role/priv combination way to restrict this further?

We don’t have such a level of granularity, given each compute resource has difference capabilities, this would be harder to do but generally doable I think. Perhaps the easier way would be something like limiting what compute profiles people can use and forbid further customization.

If this will be implemented in the future, this would probably still be on Foreman application level, Foreman app would still have permissions to do any changes, so a vulnerability in Foreman permission system could allow user to take the full control of the VM editting.