It was decided some time ago that allowing system-members the ability
to do certain things that system-readers can't do, but not as much as
system-admins, isn't really all that helpful.
Unfortunately, the credential API was one of the first APIs we
migrated to formally adopting scope types and default roles. The
credential update policy was still allowing system-members to access
it, despite us deciding against it.
This commit updates the policy to be consistent with the patterns we
use for default roles across the rest of keystone's API.
Change-Id: If11ded59cb191a4d8bf531689b8827c3bfbb39fa