RBAC
Role-Based Access Control (RBAC) allows you to define fine-grained access policies for your Argo CD instance. All RBAC settings can be located by navigating to Argo CD → your instance → Settings → RBAC.
For detailed information about RBAC concepts and policy syntax, see the Argo CD RBAC documentation.
Default Role
The Default Role setting specifies the role that all authenticated users receive by default. This role determines the minimum level of access for anyone who logs into your Argo CD instance.
Argo CD provides two built-in roles:
role:readonly- Read-only access to all resourcesrole:admin- Unrestricted access to all resources
OIDC Scopes
OIDC Scopes control which OIDC scopes to examine during RBAC enforcement (in addition to the sub scope). By default, the groups scope is used.
This setting is useful when you want to use additional claims from your identity provider for RBAC decisions, such as email or custom scopes.
To add additional scopes:
-
Click + Add Scope.
-
Enter the scope name.
-
Click Save.
Logs Access RBAC
When enabled, Logs Access RBAC allows you to manage who can view application pod logs in the Argo CD UI independently from general application access. This provides more granular control over sensitive log data.
To enable Logs Access RBAC:
-
Toggle the Enabled switch to ON.
-
Click Save.
Once enabled, you can use the logs resource in your RBAC policies to control access. For example:
p, role:developer, logs, get, default/*, allow
This policy allows users with the developer role to view logs for all applications in the default project.
Policy
The Policy section allows you to define RBAC policies that control access to Argo CD resources.
To add or modify policies:
-
Edit the policy in the Definition text area.
-
Click Save.
You can create multiple policy tabs by clicking the + button next to the Main tab to organize your policies.