Hello, I'm trying to understand if this is feasible: I would like to avoid a regular user from tampering the "default" security group of a project. Specifically I would like to prevent him from deleting sg rules *from the default sg only* I can wite a policy.yaml like this # Delete a security group rule # DELETE /security-group-rules/{id} # Intended scope(s): project "delete_security_group_rule": "role:project_manager and project_id:%(project_id)s" but this is sub-optimal since the regular member can still *add* rules... Is it possible to create a rule like "sg_is_default" : ...the sg group whose name is 'default' so I can write "delete_security_group_rule": "not rule:sg_is_default" ? Thanks! Paolo -- Paolo Emilio Mazzon System and Network Administrator paoloemilio.mazzon[at]unipd.it PNC - Padova Neuroscience Center https://www.pnc.unipd.it Via Orus 2/B - 35131 Padova, Italy +39 049 821 2624