It was previously set that both SYSTEM and PROJECT READER could get
access to it. But this resource don't have project_id so PROJECT_READER
should be removed from that rule and only SYSTEM scope users should be
able to get it.
This patch also adds UT for policies for that API.
Related-blueprint: bp/secure-rbac-roles
Change-Id: Idfaf36c3dd003c9c5c1ce3f9ee889ba54643e831