I mean that you can't really have multiple people, from multiple teams, accessing the same infra with different types of rights and with centrally managed authentication/authorization/logging.
That's exactly what libvirt lets you do. It uses policykit to handle the authorization, cockpit doesn't change that and still requires you to use policykit to control who has access to what.
