• Currently the roles that aggregate to the default "admin" role are coming from two different mechanism:
  1) The automatically generated roles that OLM creates for every installed CRD
  2) The roles that are shipped with OpenShift Virtualization/Kubevirt like the "kubevirt.io:admin" ClusterRole.

• Ideally, we want to have an admin role for a namespace that can handle "normal" container workload administration like managing Deployments, Routes, etc. and a role for each larger "addon" (OpenShift Virtualization, OpenShift AI, etc.) that we can grant to our users if this addon should be accessible by them.
• This flexibility of role assignment is needed in multi-tenant clusters where different namespaces are used to allow different workloads and prevent unallowed usage of workload that the tenant is not eligible to use
• In addition to the permissions, the respective console plugin/view would also be automatically enabled/disabled, meaning that if a user does not have the permission to, for example create VMs, the virtualization view is hidden.
• Given the above it would be require to have a complete list of permissions required for accessing specific parts of the virtualization console view to allow customers to define their own Roles and RoleBindings

*User story: *

As a cluster-admin I want to decide which users will have access to the virtualization in the cluster. Not all project-admins should have this access but only the eligible ones (due to the customers own reasons).