[libvirt] Shared desktop: grant permission to start/stop/pause/resume guests only

Hi all, for a shared desktop configuration, is there an option to grant the permission to start, stop, pause or resume the kvm guest only? User roles in shared desktop environment configuration: Power user - fully manage libvirt / KVM guests Regular user - start, stop, pause and resume libvirt / KVM guests In other words, we are looking for an opportunity to: a) prevent regular users from modifying the libvirt / kvm guest but b) enable them to start, stop, pause, resume libvirt / kvm guests Currently I see two options: a) No specific libvirt permission: Regular users cannot start a virtual guest (without help). If users forget to shutdown the kvm client and try to poweroff the Linux system, they are asked for an admin/management user password to stop the virtual machine. So they need help to shutdown their machine - not good. b) Enable libvirt manage via policy kit: "manage" permission can be granted via overruling the default org.libvirt.unix.manage policy kit action. The manage right enables to modify the libvirt / kvm guest, which is too much in our case. Is there an option to grant the start/stop/pause/resume permission only? Does libvirt offer this kind of granularity? Kind regards, Thorsten Hesemeyer