Propagate enforcement to parent level rule
In some of nova api plugin, there is policy rule for each api, for example:
"os_
"os_
"os_
"os_
"os_
"os_
"os_
"os_
This provide good granularity for operator to configure each API. But when all the API have some permission, that looks like boring for operator.
If we propagate enforcement to parent level rule, then operator only configure one rule for all the APIs in the plugin, for aggregate case:
"os_
If operator want to assign different permission for one of APIs, the rule can wrote as below:
"os_
"os_
"os_compute_