Description of problem:
It could be problematic if admins can run virsh destroy/undefine on ComputeNodes outside of Nova, since that may cause state to get messed up between ComputeNodes and Nova.
So it might be desirable to make libvirt connections read-only for all users except for Nova.
This should be optional though. Some users may want their admins to have virsh access to VMs even despite the risks.
I think that this is something we should not do. RHEV made libvirt inaccessible to the root user and it has been a total PITA for anyone logging into a box to troubleshoot the system.
If a person has been given root they are all powerful and know they should be careful. We don't need to add child-locks to their account wrt libvirt, which ultimately don't achieve anything besides annoyance for people who need access.