Description of problem:
As discussed on this upstream RFE [1], there is currently no way to share a security group between projects in a read-only way. This would be useful for customers who want to centralize rules, but avoid members of target projects from adding or deleting rules on these shared security groups.

Version-Release number of selected component (if applicable):
RHOSP 16.x

How reproducible:
Reproducible following steps to create an "access_as_shared" (RW) security group as documented on this KCS [2] (pending formal product documentation as described on this BZ [3]).

Steps to Reproduce:
See KCS [2]

Actual results:
Any security group shared as described on [2] can be modified (rules added or deleted) by members/admins of the target projects to which it is being shared.

Expected results:
A customer can share a security group as RO, in which users/admins of the target tenants can make use of the shared security group, but not add or delete rules on it.

Additional info:
[1] https://bugs.launchpad.net/neutron/+bug/1875516
[2] https://access.redhat.com/solutions/6275121
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1995461