Managed Service Account is an OCM addon enabling a hub cluster admin to manage service account across multiple clusters on ease. By controlling the creation and removal of the service account, the addon agent will project and rotate the corresponding token back to the hub cluster which is very useful for the Kube API client from the hub cluster to request against the managed clusters.

The first usecase of ClusterPermission was to assign a Managed-Service-Account
This (quoting a customer) brilliant feature also increases the value of ClusterPermission

MSA is used internally in App, CNV and DR and Ansible

https://open-cluster-management.io/docs/getting-started/integration/managed-serviceaccount/

Epic Goal

...

Decide if it should be added to UI
One big customer was also asking about further enhancements about controlling the token?

Why is this important?

...

increase value of solution

Scenarios

...

especially automation scenarios

Acceptance Criteria

...

does not need to increase complexity

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. ...

Open questions:

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Doc issue opened with a completed template. Separate doc issue
  opened for any deprecation, removal, or any current known
  issue/troubleshooting removal from the doc, if applicable.
• Considerations were made for Extended Update Support (EUS)