Currently any user with Manager role can change smart class parameters from all organizations created on Foreman server. We would like to have users with access restricted to organizations.

The functionality can be misused as below:
1. Example Foreman server provides a class to manage the `root` account.
-- https://forge.puppet.com/thias/root
--- This class can set SSH authorized public keys.
2. The class is available in all organizations.
3. Org A has a user `jack` who can edit class parameters for Org A. `jack` is not a member of Org B
4. Org B has a host `protected.example.com` that is x86_64 with the `root` management class attached
5. Login as `jack` and edit the class parameters for the `root` module to add a new public key to `protected.example.com` if architecture == x86_64
6. Run puppet on `protected.example.com`
7. Notice the new public key provided by `jack` is now added to the `root` account on this host.
8. Notice `jack` is not an authorized admin for `protected.example.com`"

The existing behavior permits Org A to reconfigure Org B even if the users are not members of Org B. This can result in outages, unexpected service configurations, or possibly access to Org B servers by unauthorized users.