I have thrown up some of my original ideas on RBAC separation on github, Described in the readme.md
https://github.com/rhatdan/docker-rbac Please review and tell me if you have other ideas. I guess we can carry the conversation via issues, this email or pull requests.