Replacing ssh public keys of retired owner

Hi everyone. when a new vm instance is created, the user creating that vm instance has his public key injected by using the contextualization. When the vm changes owner (lets say that the person leaves the company, etc) the ssh public key does not change to reflect the ssh public key of the new owner.

How and/or can this be forced?

I know that the oneadmin user can in fact add more then 1 key by updating the contexualization and also replace the ssh keys if need be but a groupadmin for a particular group does not have any of these features from what I could find so far.

Is this the expected behaviour?
if opennebula is deployed in a public cloud does that mean that a group (account) will have to contact the cloud provider to have this changed?

Thanks in advance for any help