Fine grained RBAC / separation of concerns

[ezYakaEagle442]

Is your feature request related to a problem? Please describe. The doc describes how to managed role permissions but this does not address a common scenario where a customer has 3 Teams A, B & C and where :

• Teams A should be allowed to deploy/undeploy App A ONLY, not App B, App C neither
• Teams B should be allowed to deploy/undeploy App B ONLY, not App A, App C neither
• Teams C should be allowed to deploy/undeploy App C ONLY, not App A, App B neither

Describe the solution you'd like All the permissions listed in the doc should be more granular allowing to configure it at App Level ASA should support an RBAC solution integrated with AAD , something like what we have in AKS

This would require to deploy App to a specific namespace for each App. See https://github.com/Azure/Azure-Spring-Apps/issues/21

Describe alternatives you've considered None

Additional context

[allxiao]

In Azure Spring Apps, the apps and deployments are exposed and managed through the ARM APIs. So the RBAC can be applied to apps and deployments by default.

You can check Assign Azure roles using Azure CLI - Azure RBAC | Microsoft Learn for the general way to assign roles to a given scope. In this case, the scope will be resource ID of apps or deployments.

We will add a page in our docs site to describe this.

[ezYakaEagle442]

ok may be it works with CLI, but definitely it is not possible to configure this through Azure Portal as the 'IAM' link is available only at ASA service instance level. ==> RFE : add IAM in the left blade at App & Deployment level

[taoxu0903]

add this as feature candidate for Ga semester planning.