1. Proposed title of this feature request

Improve Multi-Tenancy support for RHACS and namespace owners

2. What is the nature and description of the request?

Current Situation: RHACS has RBAC that can be used to configure roles and grant various levels of access to Red Hat Advanced Cluster Security for Kubernetes for different users. https://docs.openshift.com/acs/3.74/operating/manage-user-access/manage-role-based-access-control-3630.html ACS RBAC includes ootb default roles which cannot be changed and the ability to create custom roles. 

However, RHACS has gaps when it comes to multi-tenant support. ACS scoped access controls is built as a tool for cluster roles, which can access and verify violations across the secured clusters. 

While it is possible to create additional roles and limit them to certain namespaces, it is not possible to allow namespace owners access to RHACS without the risk of interfering with specific configurations. (see more details below) 

The following will summarize the 3 major issues which were found in regards to multi-tenancy support: custom policies, risk acceptance and report generation. There might be more to consider, as we continue this work. 

Use Case: The customer is operating multiple OpenShift clusters, with multiple sub-customers (where the sub-customer is a team within the larger organization). Since sub-customers can deploy their own applications and are fully responsible for these applications, it would mean a lot of additional work and management of the cluster administrator team to notify every different sub-customer about possible security issues. Therefore, the security management shall be delegated to the applications owners. 

Expectations: RHACS should support additional multi-tenancy features in order to allow namespace/application owners to access only specific namespaces in order to view, verify and fix their security issues. Mona, as the namespace administrator, should be able to create security policies which are applicable for her namespace only as well as accepting risks or creating notifications which are only applicable to the namespaces she is managing and which cannot be changed or modified by other administrators, except cluster-admins. Similarly, Sam should be able to view the security policies applicable for his namespace only and be able to request exceptions to security violations, without being given permission to create policies or accept risk for his namespace.  

3. Why does the customer need this? (List the business requirements here)

Justification: This will improve the re-usability of RHACS and allow namespace administrators directly to verify the violations of their namespaces. Customers which are using OpenShift in a more shared way and operate the cluster for different sub-customers, can then delegate the fixing of violations to the application owner instead of managing all violations for all customers and all applications on their own.

A list of issues found when preparing a demo for one customer: https://docs.google.com/document/d/1ApwhyqjU1Xrqsp3RLHcVQRqf_gaYw6Y6LITV_WNNvHg/edit# 

4. List any affected packages or components.

Please note that this Jira is part of a larger group of issues raised by BRZ, and you can find more information in this google document.