rbac

docs/REFERENCE.md

@@ -693,7 +693,25 @@ configs:
     scopes: '[groups]'
 ```
 
-**Access Control**: Only users in Keycloak groups `ArgoCD Admins` or `ArgoCD Viewers` can access ArgoCD. Users not in either group are denied (empty `policy.default`). Assign users to groups in Keycloak admin console.
+**Access Control**: Only users in declared Keycloak groups can access ArgoCD. Users not in any group are denied (`policy.default: ""`). Assign users to groups in Keycloak admin console.
+
+| KC Group | ArgoCD Role | Access |
+|----------|-------------|--------|
+| `ArgoCD Admins` | `role:admin` | Full control over all apps |
+| `ArgoCD Viewers` | `role:readonly` | Read-only access to all apps |
+| `Observability Team` | `role:observability` | Get/sync monitoring apps (prometheus, loki, fluent-bit, tempo, grafana, opencost) |
+| `Dev Tools Team` | `role:devtools` | Get/sync dev tool apps (gitea, gitea-actions, renovate, karpor) |
+| `App Developers` | `role:app-dev` | Get/sync/action on enterprise-apps only |
+
+**Per-Cluster RBAC**: Add cluster-specific policies in `infra/values/<cluster>/argocd-values.yaml` using `configs.rbac.policy.<cluster>.csv`. ArgoCD concatenates all `policy.*.csv` keys alphabetically after `policy.csv`. Example:
+```yaml
+# infra/values/upc-dev/argocd-values.yaml
+configs:
+  rbac:
+    policy.upc-dev.csv: |
+      p, role:staging-deployer, applications, sync, default/enterprise-apps, allow
+      g, Staging Deployers, role:staging-deployer
+```
 
 - ArgoCD does NOT add `openid` implicitly — must include in `requestedScopes`
 - Do NOT add `groups` as a scope — the KC groups mapper emits the claim regardless