[libvirt] ACLs for libvirt

Hi all, I'd like to implement this new feature for libvirt. However, I think we should settle down on design first. My biggest concern is choosing the right level on on which ACLs will be implemented. Should be interested only in (user, API), or with more granularity (user, API, API's parameters)? Or should we take the RBAC path? How should we even identify and authorize users? My initial though is to create framework which can be used then to implement ACLs on any level we want. What's our opinion? Michal