If you are willing to change every services policy file, then you can do it. Every service assumes any user with the role "admin" as superuser. Due to this "admin" in one service is by default "admin" in other service. As a first step you need to define "NovaAdmin" , "NeutronAdmin" and change the respective services policy file to use that role. This isolates one service's admin from becoming "admin" for another service.
What do you mean by restrict power at tenant level. All the service operations operate on tenant level except keystone operations. Do you have an example of any service operation which doesn't operate on tenant level?