Support account-scoped resource groups for all projects under selected orgs without requiring org-level resources
I
Isolated Cat
For SMP, we are trying to manage RBAC fully at the account level using existing roles and account-scoped resource groups.
Their intended access model is:
DevOps users should have access to project-level resources
DevOps users should not be able to edit organization-level resources
Org admins should continue to have full access to organization-level resources
We are correctly using the model where:
the Role defines the permissions/actions
the Resource Group defines the scope where those permissions apply
A key requirement for this use case is that RBAC management must remain centralized at the account level.
We are not looking for a workaround that depends on creating or maintaining additional bindings, roles, or resource-group configurations separately at the organization or project scopes.
Their goal is to:
manage access centrally from the account scope
grant access to all projects under selected orgs
exclude organization-level resources
avoid ongoing per-project or per-org maintenance outside the account-level RBAC model
Because of that, solutions that rely on additional configuration at org or project scope would not meet the intended operational requirement.
This is not only a usability issue, but also a scalability issue for customers who intentionally manage RBAC centrally at the account level.
In this case, the requirement is to keep the access model fully managed from the account scope. A solution that requires additional RBAC configuration or maintenance at the org or project scopes would not satisfy that requirement.
The customer has 100+ projects, so maintaining access by manually selecting each project under Specified Projects is not feasible, even as a workaround.
Today, the current resource-group behavior appears to force customers into one of these two options:
include org-level resources even when they do not want to
manually maintain large project lists
Neither option satisfies the customer’s intended centralized RBAC model.
Please support an account-scoped resource group configuration that allows:
selecting one or more organizations
including all current and future projects under those selected organizations
excluding organization-level resources
without requiring manual selection and maintenance of each project
Log In
I
Isolated Cat
Expected outcome
Customers should be able to create account-scoped resource groups that express:
Project-only access across all projects in selected orgs
while explicitly excluding organization-level resources
and while keeping RBAC management centralized at the account level
Impact
Without this, customers managing RBAC centrally at account scope must either:
grant broader access than intended, or
manually maintain large and changing project lists, or
move part of the RBAC model into org/project scope, which does not meet their operational requirement
This makes the model difficult to scale and creates unnecessary admin overhead.
PL-70598