Here is a user story:

I have several groups of developers that will be using resources from a
pull. Each group will have it is own set of Kerberized services to
manage and deploy. I want developers to be able to create, modify,
delete or provision/deploy services they are appointed to manage but not
be able to modify other services that belong to other groups or are
constituting production environment that none of those groups should be
able to touch.

Thoughts on implementation:

services are structured per host and in our default ACIs we allow the host to manage all its services. If per-service management is needed, then service groups need to be added which will be spanning services across hosts. We have infrastructure for
that (managedBy attribute is multi-valued, ipaService object class can
have managedBy attribute), so the question is to provide a plugin that
handles these managedBy assignments according to some groups and then
create group-based permissions/privileges/roles.

Apart from the relatively simple plugin to allow manipulating managedBy
on ipaService object, the rest is there.