How to properly assign permissions to a Client's map-role scope

I’m trying to figure out a way to delegate Client management to each developer team, according to the applications each one is responsible for. So, let’s imagine that user1 is a developer for App1, while user2 is a developer for App2.

Each user is assigned a permission that associates them with the manage scope of their respective Client.

This however, does not allow user1 and user2 to map roles into each other’s Clients. This would be necessary, for example, for App2 to access web services served by App1 using a Service Account authentication.

As admin, I can manage the role mapping myself by mapping the necessary roles from App1 into the Service Account Roles of App2.

But I wonder how exactly am I suppose to setup permissions that allow user1 to grant App2 permission to access the webservice?

Creating a permission that associates user2 to App1’s map-role scope seems like the obvious alternative. But that level of permission allows user2 to pick and choose any roles from App1. This effectively overwrites the will from user1 to protect other resources with other roles mapped to them.

So, my question is this. Can this level of grained permission only be done by the admin account?