Sharing Foreman with other groups

I think this is more a puppet question, but since I am using Foreman as a
ENC figure I would ask here.

We are thinking about turning over systems to the app teams after they are
built. For example, the sysadmins install the OS and using Foreman ENC a
set of puppet classes are applied to the host. Then we turn over to the App
team, they would then apply their Puppet classes to the system. This can
even be simplified, where we could create hostgroups, assign them to an
organization and allow users to build their own host.

What I can't seem to get pass is how to prevent the app team from
overwriting or creating puppet classes that do things at the sysadmin
level. Do I run multiple agents on each host, one privileged the other not?
How to share Foreman or Puppet with privileged and unprivileged teams?