ArgoCD RBAC Policies: ConfigMap vs AppProject

[nxhuy-github]

Hi everyone,
I'm trying to understand the concept RBAC in ArgoCD and I have some questions please. According to this doc and this doc, I found out that we could configure RBAC rules either with ConfigMap(argocd-rbac-cm) or directly in AppProject. And what I don't understand is what are the differences between these two options? Like in what scenario we'll use this one over that one? Because when I do like this, for example:

# First Setup
# ConfigMap argocd-rbac-cm.yaml
...
policy.csv: |
    p, role:test-role, applications, *, appproject-1/*, allow
    g, [email protected], role:test-role
scopes: ['email', 'group']

--------------------------------------
# Second setup
# AppProject
kind: AppProject
metadata:
  name: appproject-1
...
spec:
  roles:
    - name: test-role
      policies:
      - p, role:test-role, applications, *, appproject-1/*, allow
      - g, [email protected], role:test-role

I see there are no differences here but the first one works and the second one doesn't. Meaning that with the first setup, [email protected] could access to any resources in AppProject appproject-1 and could do anything (create, sync, etc) but the second setup give [email protected] nothing. I do think there is something happened behind the scene here but I couldn't figure that out of myself. Could you guys please point this out to me if possible, please?

In fact, I use email [email protected] as my example because I'm trying to setup ArgoCD using SSO with Google. So my second question is: for now, my SSO works just fine (meaning people could access Argo Web UI by using their own Google Account) and I want to use RBAC to enable restriction of access to Argo CD resources. For more detail, I just want that members in each team (like team-dev, team-test, etc) could only access to their own predefined AppProject, not the others. So, what would the best practices be in this case, please? I mean I should use the RBAC with ConfigMap or AppProject? Or do we have another solution?

Thank you guys !!!

[nxhuy-github]

Anyone please 🙏 ? Thank

[kumarpramod]

@nxhuy-github have you figure this out? I am having same question..

[nxhuy-github]

Hi, we have a conversation about this question here: https://stackoverflow.com/questions/74520477/argocd-rbac-policies-configmap-vs-appproject

[toxeek]

I don't think you can assign in the project role, under policies users as you suggest:

...
- g, [email protected], role:test-role

I think you have to use groups: including an OIDC group for it to work at the project level:

kind: AppProject
metadata:
  name: appproject-1
...
spec:
  roles:
    - name: test-role
      policies:
      - p, proj:appproject-1:test-role, applications, *, appproject-1/*, allow
      groups:
      - my-oidc-group