There was a PIA done for web-rca, and an even earlier ESSv9 assessment as well.  The PIA recommends implementing RBAC to limit access to web-rca to those with a "justified business need".  Since web-rca is publicly accessible and uses external SSO (sso.redhat.com), SSO/Rover groups were not considered because they are a feature of internal SSO (auth.redhat.com).  Since web-rca is already part of OCM, it was decided that web-rca will use OCM/AMS roles and role bindings.

This creates a few complications.  First the fine-grained roles need to be defined in uhc-account-manager like WebRCAUser and WebRCAReadOnlyUser, then individual users need to be granted these roles in ocm-resources such as this example. This workflow is mostly fine for developers who are familiar with GitLab, but can pose problematic when trying to onboard non-technical users such as managers/directors who are interested in incident statuses.

This also makes integrations more difficult.  Services like inScope also use externel sso, but find it difficult to determine which users have access to web-rca since it would require another integration on the inScope side.  Service accounts can circumvent this restriction, but now we're back to giving default/read-only access to all users.

We should reconsider the requirements and see if its possible to remove the RBAC requirement or integrate more nicely with SSO.