RBAC

Fine-grained role-based access control for applications

Cased CD Enterprise provides a UI for managing ArgoCD’s role-based access control (RBAC) system.

Overview

ArgoCD RBAC controls:

Who can perform actions (users, groups)
What actions they can perform (get, create, update, delete, sync)
On which resources (applications, clusters, repositories, projects)

Viewing RBAC

Navigate to Settings → RBAC in Cased CD to see:

All defined roles and their permissions
Which users and groups are assigned to each role
Permission matrix showing access levels

RBAC syntax

ArgoCD uses a Casbin-based policy format:

# Permission: p, subject, resource, action, object, effect
p, role:developer, applications, get, */*, allow

# Group assignment: g, user/group, role
g, alice, role:developer

Resources

Resource	Description
`applications`	ArgoCD applications
`clusters`	Kubernetes clusters
`repositories`	Git repositories
`projects`	ArgoCD projects
`accounts`	ArgoCD accounts
`certificates`	TLS certificates
`gpgkeys`	GPG signing keys
`logs`	Application logs
`exec`	Pod exec access

Actions

Action	Description
`get`	View/read access
`create`	Create new resources
`update`	Modify existing resources
`delete`	Remove resources
`sync`	Sync applications
`override`	Override sync settings
`action`	Run resource actions
`*`	All actions

Object format

Objects use the format project/application:

*/ — All projects, all applications
default/* — All applications in default project
production/frontend — Specific application
*/frontend-* — Pattern matching

Common roles

Administrator

Full access to everything:

p, role:admin, *, *, */*, allow
g, admin-team, role:admin

Developer

Can view and sync applications:

p, role:developer, applications, get, */*, allow
p, role:developer, applications, sync, */*, allow
p, role:developer, logs, get, */*, allow
g, dev-team, role:developer

Viewer

Read-only access:

p, role:viewer, applications, get, */*, allow
p, role:viewer, clusters, get, *, allow
p, role:viewer, repositories, get, *, allow
p, role:viewer, projects, get, *, allow
g, stakeholders, role:viewer

Project-scoped developer

Access limited to specific project:

p, role:frontend-dev, applications, get, frontend/*, allow
p, role:frontend-dev, applications, sync, frontend/*, allow
p, role:frontend-dev, logs, get, frontend/*, allow
g, frontend-team, role:frontend-dev

kubectl patch configmap argocd-rbac-cm -n argocd --type merge -p '
data:
  policy.csv: |
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    g, developers, role:developer
  policy.default: role:readonly
'

# values.yaml for ArgoCD Helm chart
configs:
  rbac:
    policy.csv: |
      p, role:developer, applications, get, */*, allow
      p, role:developer, applications, sync, */*, allow
      g, developers, role:developer
    policy.default: role:readonly

Default policy

The policy.default setting determines permissions for authenticated users without explicit roles:

# Read-only access for everyone
policy.default: role:readonly

# No access by default (most restrictive)
policy.default: ""

Scopes

By default, ArgoCD checks the groups claim from OIDC tokens. Configure additional scopes:

# argocd-rbac-cm
data:
  scopes: "[groups, email]"

Testing RBAC

Use the ArgoCD CLI to test permissions:

# Can user sync applications?
argocd account can-i sync applications '*' --as alice

# Can group deploy to production?
argocd account can-i sync applications 'production/*' --as-group developers

Troubleshooting

”Permission denied” errors

Check user’s group membership in IdP
Verify RBAC policy syntax
Check ArgoCD server logs for policy evaluation

kubectl logs -n argocd deployment/argocd-server | grep -i rbac

Changes not taking effect

ArgoCD caches RBAC policies. Restart the server to force reload:

kubectl rollout restart deployment argocd-server -n argocd