ArgoCD RBAC policies for teams & namespace specific

[ravindraprasad85]

I do have my (PROD) ArgoCD cluster deployed in Kubernetes cluster using helm, ArgoCD Version 2.9.3 . It running in HA mode with redis HA . Its controlling more than 10 clusters (Prod/Dev/UAT) currently & 10 Repos. I do have more than 100 Apps running in that cluster. Now i needs to control the different teams in Dev cluster and their namespace wise. They should be able to perform anything in their namespace only where the applicationsets/applications running. Client application installed in Argocd cluster Namespace: "ccid-argocd"

Dev Cluster --> Team: A & namespace: A
Dev Cluster --> Team: B & namespace: B

I have tried to write the RBAC policies by following
https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/

currently ARGOCD is integrated with SSO and scope is "group"

p, role:team-qa, applicationsets, get, aam-qa-perf-us-east/*, allow
p, role:team-qa, applicationsets, get, *, allow
p, role:team-qa, clusters, get, uat-east1-sa-eks, allow
g, teamnonprod, role:team-qa
g, my-org:teamnonprod, role:team-qa

-Thanks

[yu-croco]

📝
related to #2732 (comment)