We request the ability to grant CRUD and/or read-only permissions specifically for Service Policy objects within a given namespace (default, in our case) without implicitly granting access to other WAAP objects. Today, custom roles are add-on service centric; the closest option is to use f5xc-waap-* API Groups (e.g., f5xc-waap-standard-user), which results in broader access than required for strict least-privilege.

Why it matters:

• Security & compliance: enforce least-privilege for teams who must manage only Service Policy.

• Operational separation: delegate Service Policy lifecycle (create/update/delete) to a focused group without expanding access to unrelated WAAP resources.

• Auditing: clearer mapping of responsibilities and reduced risk surface.

Requested scope:

• RBAC primitives that allow targeting specific WAAP resource types (e.g., Service Policy) with verbs { get, list, watch, create, update, patch, delete } per namespace.

• Ideally exposed via namespace_role with one or more API Groups (or equivalent granularity) dedicated to Service Policy.

Workarounds today:

• Use f5xc-waap-* API Groups that include Service Policy, accepting broader permissions than needed.

Impact:

• Enables tighter controls for regulated environments and larger teams.