We have to ensure that only certain users or groups can be assigned to the "Project Admin" role. Therefore we need a mechanism to restrict that. At the moment Workspace Managers can assign any user / group to any role, e.g. you could have a group "MyApp-Project-Reader" and assign it to the role "Project-Admin".