RT for self-service user and client admins

What is the best way to setup the rights, queues, users, etc. for this?
I have multiple clients. Each of them has one or more admins and one or
more users. The admins need to be able to submit tickets, view all tickets
for their client and be able to reply to them but not change custom fields,
owner, take ownership, etc. The users can submit new tickets, reply to
their own tickets, and view only their tickets.