With the addition of Multi-tenancy users can restrict users to particular process groups. What these users cannot do is create input and output ports on the root canvas. Users should be able to create remote input/output ports within process groups and assign S2S policies to them. The only thing they should need an admin to do is add Servers as users and add the global "retrieve site-to-site details" policy. This allows for a better separation between dataflow designer/implementor/DFM and NiFi Admin. The added benefit of treating remote and local input/output ports as unique components is that you could add them anywhere in your flow including imbedded within process groups.
Perhaps making them configurable as local or remote ports (defaulting to remote when added to root canvas and local when added within process group). This way we preserve backwards compatibility while still improving their usability in a multi-tenancy environment.