RBAC and fine-grained access control for api keys

[JoeColeman95]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

My company began working with Ory a few months ago and have ran into a lot of issues thus far, the most glaring of them is the inability to restrict access to any invited users. Albeit, we can prevent a user from accessing all projects with project-only access, but it's still fairly limited with full-admin like rights to the project.

This can be problematic because there is a lack of logging, so changes can be made on a project that are breaking by a developer and it's impossible to trace who/what broke the configuration.

As such, we have created custom tooling to combat this and have had to revoke access to the UI.

This comes with drawbacks, because now we have prevented manual and breaking configuration changes, we have subsequently removed the ability for developers to debug or simply test workflows.

Describe your ideal solution

The ability to create groups, with access to specific projects configurable. This would allow us to restrict access to members to specific subsections of the UI, e.g:

• Group A can access Activity and User management
• Group B can access Activity, user management and permissions

Furthermore, fine-grain access tokens should be a standard for API keys. Again, I currently only have the option to give someone full admin to a project, or nothing at all.

Workarounds or alternatives

From what I can tell, there is no alternative to "all or nothing"

Version

Live

Additional Context

No response