Usually for this kind of tasks you should modify policy.json file for the specific service. In your case I think you should change security_groups directives in your /etc/nova/policy.json file.