Comment 2 for bug 1917469

This would however require all users who manage openstack images to be admin in glance.

In our case we have a regular job that pulls the latest ubuntu/debian/centos images and publishes then in glance using the workflow outlined above.
This job is run with a user that is a normal member of a normal project. It's only special permission is "publicize_image" that is applied by using a custom role.

Your suggestion would require the usage of a user who gets unrequired access to all other images and who could also modify them.

Also per default the deactivation and reactivation of a image is not an admin task and can be done by any normal user.