A customer is requesting a feature that it is not implemented in OSSM federation so far. From a point of view of security, the customer has a requirement through which all services should be identified, and RBAC/Authorization Policies are used to meet this requirement.

This feature is not possible in an OSSM federated environment because the spiffe is not propagated between the federated clusters, looking at our official documentation:

For exported services, their target services will only see traffic from the ingress gateway, not the original requestor (that is, they won’t see the client ID of either the other mesh’s egress gateway or the workload originating the request) 

The aim of this request is to provide the functionality to use RBAC in a federated environment with the spiffe propagated between both clusters.

Istio upstream has the functionality gap as well: 

Istio issue

Find below a document attached describing the issue: OSSM federation - RBAC issue.pdf