Service type resource don't have "project_id" so using "PROJECT_*"
rules wasn't working fine.
And this resource should be available for all users so this patch
switches its check_str to be "role:reader" which works for all
types of SYSTEM and PROJECT scope users.
Related-blueprint: bp/secure-rbac-roles
Change-Id: If28e70252c1f9ec76502699fad2d5a2aece8f4fb