Extended role based access via Keystone

Currently a function can either be private or public, meaning anyone in your project can manage the function via the API. Could this be extended to have Keystone roles for users in a project so only certain users can publish and manage functions but normal members of the project can only run the functions, essentially creating private shared functions within the project itself, this would be useful for example having a development team push out functions using their keystone users but having a service user execute the functions on behalf of the application, this way the application cannot edit the functions / break itself. Obviously this would need to be extensible in terms of how projects use them.