From 47015cd37ce34f99e342e02b57b81e7ea8193a3e Mon Sep 17 00:00:00 2001
From: Christian Hernandez <christianh814@users.noreply.github.com>
Date: Thu, 6 Jul 2023 09:55:09 -0700
Subject: [PATCH] docs: Added information about scopes (#2782) (#14354)

* Added information about scopes in the docs

Signed-off-by: Christian Hernandez <christian@chernand.io>

* Apply suggestions from code review

Co-authored-by: Dan Garfield <dan@codefresh.io>
Signed-off-by: Christian Hernandez <christianh814@users.noreply.github.com>

---------

Signed-off-by: Christian Hernandez <christian@chernand.io>
Signed-off-by: Christian Hernandez <christianh814@users.noreply.github.com>
Co-authored-by: Dan Garfield <dan@codefresh.io>
---
 docs/operator-manual/rbac.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md
index b6fdc87ac2e23..205ec9e2271bc 100644
--- a/docs/operator-manual/rbac.md
+++ b/docs/operator-manual/rbac.md
@@ -171,6 +171,33 @@ g, db-admins, role:staging-db-admins
 
 This example defines a *role* called `staging-db-admins` with *nine permissions* that allow that role to perform the *actions* (`create`/`delete`/`get`/`override`/`sync`/`update` applications, `get` logs, `create` exec and `get` appprojects) against `*` (all) objects in the `staging-db-admins` Argo CD AppProject.
 
+!!! note
+    The `scopes` field controls which OIDC scopes to examine during rbac
+    enforcement (in addition to `sub` scope). If omitted, defaults to:
+    `'[groups]'`. The scope value can be a string, or a list of strings.
+
+Following example shows targeting `email` as well as `groups` from your OIDC provider.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  policy.csv: |
+    p, my-org:team-alpha, applications, sync, my-project/*, allow
+    g, my-org:team-beta, role:admin
+    g, user@example.org, role:admin
+  policy.default: role:readonly
+  scopes: '[groups, email]'
+```
+
+For more information on `scopes` please review the [User Management Documentation](user-management/index.md).
+
 ## Policy CSV Composition
 
 It is possible to provide additional entries in the `argocd-rbac-cm`