Roles, permissions


I want to enable users to put their 'own' client into config groups.
Therefore the user needs, among others, the permission edit_hosts (with
a filter). That, on the other hand, allows the user to change other
attributes, like the host name. Is there a way to have more fine-grained
permissions for this use case? Or do I have to use a proxy web service
in front of Foreman, that the client talks to and that filters the
requests of the client?