As a service provider we have two classifications of an instance / virtual machine, Managed Service Provider Managed (MSPM) and Self Managed (SM). Both types can exist with in a Tenant. The problem we have is, we want users to be able to do different things with MSPM and SM instances / virtual machines. Today this is not possible as Morpheus permissions are granted at a user level. We have been given a work around, which is to user groups, however this only allows to make a group read-only or full.
Using the attached screenshots as reference, we would like to be able to control all the items in yellow, options being to enable or disable them, when disabled for the item to be either hidden or greyed out. This effectively gives us full control on what a user can do.
So RBAC can control the items within the list, but your access is additive so if a user has full access to 2 groups the access will be identical.
If the MSP managed systems should have no actions available, and the customer managed have some actions available, you could set group to read for the msp managed and group full to the customer managed. Then use the granular RBAC for the actions on the user role.
If the user needs some actions against 1 group and different actions against the other, currently you would either need to define alternate users, or represent the different sets of users with multiple tenants.