Restrict permissions management to project admins


I would like to suggest a new feature based on this topic Disable project permissions management for non system admins

Our case is the following

  • We’re a big organization running hundreds of projects for different clients
  • Clients should not be aware of each other meaning not being able to see other clients projects or being able to guess what other clients are there from different users email addresses
  • Clients can be promoted to a project admins
  • Project admins needs an ability to manage project level settings on their own

The problem

  • Project admins can manage permissions on their projects meaning
    ** they can see other users
    ** they can make a project public
    ** they can give permissions to wrong groups by accident

If we can restrict project admin role from being managing project permissions thus only global admin can do that - it would solve our problem. More to say if there would be some kind of Role constructor which allows you to change the default behavior of project administrator role by assigning different permissions that would make security area of sonarqube more flexible.
Like Browse Project is certainly a permission while Project Admin looks more like a role meaning it can have multiple permissions assigned. Eventually this means there can be a possibility to define your own logical roles more granular.

Current workaround
We don’t have much choice now but to restrict access to permissions management page on a reverse proxy from some ip addresses