At least in Newton you had to create a new role, and create a new policy.json for each service (nova, neutron, glance, and so on) for that role, and assign user to that group.

but in Queens , I saw it was looking like working, and itm ight have something like that by default (I mean role).