Allow users to create ApplicationSets for specific AppProject

[pschichtel]

Hi there!

I'm currently setting up a central argo that does deployments to different team-specific clusters. For each team, a project is generated that has their cluster cluster configured as a destination. These teams don't have access to the cluster, in which argo itself is deployed.

As such, App-of-Apps is not really a practical, as users would need access to the argo cluster. Instead I wanted to go the ApplicationSet route. The problem now is, that the users of these teams currently don't have access to create ApplicationSets. I also don't want to allow users to create any appsets, but only appsets that create apps in a project, that they have access to.

I've checked this documentation, which suggests that I can setup a policy that grants users/groups access to create appsets that produce apps in a given project.

Now I'm struggling to actually implement this. I tried creating the policy on the project of a team, but that didn't seem to have an effect. Since ApplicationSets are not linked to a project, I figured that makes sense and tried the same in the global policy.csv. That however also didn't seem to have an effect.

We know the groups are correctly assigned to the correct users (they come in via AD), but it seems are policies don't apply.

I keep receiving rpc error: code = PermissionDenied desc = permission denied: applicationsets, create, project/appset-name, sub: ..., iat: 2025-09-19T11:59:05Z when trying argocd appset create.

Does anyone have a link to a more elaborate documentation or maybe even a somewhat complete example? I'd be happy for any pointer :)