Skip to content
Discussion options

You must be logged in to vote

The pattern you are seeing is right (a group p/g works, an identical line with the user does not), but the lever is not quite "user vs group". It is which OIDC claims Argo CD examines during RBAC enforcement.

The argocd-rbac-cm has a scopes field that lists the OIDC scopes/claims checked in addition to sub, and it defaults to [groups]. That is why group policies work out of the box (the groups claim is examined) while a p, my-user, ... line does not match: the username/email claim is not being examined unless you add it. Also, for SSO the subject used is derived from the token (with Dex, federated_claims.user_id), not the display name shown in the UI.

So you have two clean options:

  1. Assig…

Replies: 2 comments 1 reply

Comment options

You must be logged in to vote
0 replies
Comment options

You must be logged in to vote
1 reply
@kastl-ars
Comment options

Answer selected by kastl-ars
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants