More fine grained access control

[sanbrien]

At the moment, I can control roles on managing resource types. But I would also like to manage access to certain groups of resources. E.g. I would like some people to manage development VPC's and others to manage production VPC's.

At the moment this is only possible on organisation level. But maybe you should consider adding a project level as well.

[thojkooi]

Two approaches we are evaluating are either sub organisation style projects, or roles/rolebindings with label selector matching (i.g. configure conditionals on roles to only match specific resources to appyl the permission rules on).

Would be interested to hear some feedback on this.

[sanbrien]

Roles are more granular of course but also less clear and more error-prone. It is must more difficult to keep overview when you use roles. Whereas, with sub-organisations / projects, you can clearly (also visually) separate what users are allowed to see.

It would nevertheless be cool to be able to assign roles to a certain sub-organisation / project rather than having to assign users to it directly....