- make sure that instance creation/manipulation is restricted to projectadmins
- make sure trove-dashboard displays the appropriate panels based on user role
Some of this might require upstream patches; it's not clear to me that Trove uses the shared oslo policy code correctly.