How to customize(restrict) builtin role:admin policy?

[mikutas]

https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv

Can we add some restriction to role:admin ?

For example, we manage Argo CD itself via Application named argo-cd.
So we want to add some deny policy to deleting resources under the App.

[kostis-codefresh]

It is better to create your own policy from scratch. The "admin" and "readonly" offered by Argo CD are just starting points.

[mikutas]

Thank you for your answer.
Just to be sure, is it impossible to make some additional policy over builtin policy? Or, it's possible but a bad practice?

[kostis-codefresh]

I haven't tried it. But I personally would consider it bad practice.

[mikutas]

Just curious I tried to make "partial deny" policy for builtin role:admin and found it possible.

configs:
  rbac:
    policy.csv: |
      p, role:admin, applications, delete, argo-cd/*, deny

This policy forbids user as role:admin to delete any resources including Application belonging to argo-cd AppProject.