[ovirt-users] Roles and Permissions and Inheritance

Is there a way to prevent Roles Assigned to Groups on Objects to only apply to where it is set? Basically looking for a way to do what we had done in VMWare which involved using the do not propagate permission setting. be able Seems to me that right now there is no way to set this so if i give access to something at the top level of a DC those accesses wlll overide if i then explcitly set another role and permission on an object underneath Lets take as a concrete example the ovirtmgmt network. I do not want users in the engine to be able to place VMs on this (but i want the Superusers to be able to still) How can i accomplish this with the way roles and permissions work with Ovirt? thanks! Brian