Proposed title of this feature request

Allow fine grained access for traces.

What is the nature and description of the request?

As of now, below ClusterRoleBinding is created to allow access to traces:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tempostack-traces-reader
rules:
  - apiGroups:
      - 'tempo.grafana.com'
    resources:
      - dev
    resourceNames:
      - traces
    verbs:
      - 'get'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tempostack-traces-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tempostack-traces-reader
subjects:
  - kind: Group
    apiGroup: rbac.authorization.k8s.io
    name: system:authenticated 

However, all the users gets access to all the ingested traces for a particular tenant.

From user's perspective, they don't really need access to all the ingested traces. Rather, there should be a mechanism to only allow users with specific access to view traces to which they have access.

For eg: If 4 applications (all running in different namespace)  are sending traces to dev tenant and a user only needs access to traces of 1 application, then user should not be able to view traces from other namespaces.

Why does the customer need this? (List the business requirements)

To restrict the access so that other users can't view traces for the applications to which they don't access.

List any affected packages or components.

Tempo Operator