Policy to ensure users cannot create api keys and auth tokens

Organization Name (Required - If you are an Oracle Partner, please provide the organization you are logging the idea on behalf of): Municipality of Rotterdam

Description (Required): We are synchronizing our users from Fusion to OCI domains (they are seen as non federated). These users by default get too many capabilities. What we would like is to have a policy that only allows administrators to create api keys and auth tokens for users and not the users themselves. Currenty this is not supported so we have to build a script ourselves using the API's. But it would be much more convenient if you can set this through policies.