Who can
Reverse RBAC lookup from Lineage's cached read-only inventory. This does not shell out to oc adm policy who-can; Lineage expands real Groups into member users and flags ghosts, baseline, and unclassified rows.
Results: list on secrets in payments-prod
9 rows shown (10 total)
| Subject | Path | Binding | Scope |
|---|---|---|---|
| Group platform-admins | direct | ClusterRoleBinding/platform-admins-cluster-admin | cluster-wide |
| User alice | via Group platform-admins | ClusterRoleBinding/platform-admins-cluster-admin | cluster-wide |
| User future-hire@company.com ghost | direct | ClusterRoleBinding/ghost-future-employee | cluster-wide |
| ServiceAccount pipeline (ci) ghost | direct | ClusterRoleBinding/ci-pipeline-clusteradmin | cluster-wide |
| ServiceAccount runner (legacy-pipelines) ghost | direct | ClusterRoleBinding/legacy-runner-admin | cluster-wide |
| Group engineers | direct | RoleBinding/secret-readers (payments-prod) | payments-prod |
| User alice | via Group engineers | RoleBinding/secret-readers (payments-prod) | payments-prod |
| User eve | via Group engineers | RoleBinding/secret-readers (payments-prod) | payments-prod |
| User nina-onboarding | via Group engineers | RoleBinding/secret-readers (payments-prod) | payments-prod |