When creating a new VO, super_root should create the root account and a corresponding identity for it. Super_root will also be able to add or update root identities later.
Force super_root to operate from the local machine by limiting access to the VO management REST endpoint
Administration within a specific VO (e.g. adding users) should be handled by root only – super_root should not have those permissions.
super_root should use the 'def' VO - and nothing else should be assigned to this VO in a multi-VO setup. We will have to be careful with this as 'def' is the default VO
User authentication to a specific VO. Super_root administration of VOs. Specific permissions for root and super_root.
These changes will form the second PR against the main Rucio fork. (Individual issues to be listed below.)