fix(rbac): resolve RBAC regression for project-scoped resources in multi-namespace architecture (#25289)

[tcfwbper]

Summary

This PR fixes the RBAC regression for project-scoped resources in multi-namespace architecture (#25289)

The issue was caused by inappropriate migration when we introduced "applications in any namespaces".
I have updated the following areas to restore the expected behavior:

• Normalize policies when we load them from Configmap, AppProj, or CLI to ensure this pattern "proj/ns/app" without lossing backward compatibility.
• Aways verify permissions using "proj/ns/app".
• Added unit tests for policy normalization and updated current unit tests.

Checklist

• (b) this is a bug fix.
• The title of the PR states what changed and the related issues number.
• The title of the PR conforms to the Title of the PR.
• I've included "Fixes AppProject RBAC Policy to get logs does not work as documented for an 'Applications in any namespace' setup #25289" in the description.
• I've updated both the CLI and UI.
• Does this PR require documentation updates?
• I have signed off all my commits as required by DCO.
• I have written unit and/or e2e tests for my change.
• My build is green.
• I have added a brief description of why this PR is necessary.

Fixes #25289

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

❌ Patch coverage is 97.14286% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.21%. Comparing base (8739f91) to head (b3cbc2a).
⚠️ Report is 43 commits behind head on master.

Files with missing lines	Patch %	Lines
cmd/argocd/commands/admin/project.go	83.33%	1 Missing ⚠️
cmd/argocd/commands/admin/settings_rbac.go	83.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #26573      +/-   ##
==========================================
+ Coverage   63.00%   63.21%   +0.21%     
==========================================
  Files         414      414              
  Lines       56153    56480     +327     
==========================================
+ Hits        35378    35703     +325     
+ Misses      17410    17405       -5     
- Partials     3365     3372       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tcfwbper]

Dear reviewers, this guide might help you speed up reviewing.

The core changes of this PR are:

1. Load Policy
   • from argocd-rbac-cm (util/rbac/rbac.go)
   • from appproj (pkg/apis/application/v1alpha1/app_project_types.go)
2. CLI
   • argocd admin proj (cmd/argocd/commands/admin/project.go)
   • argocd admin settings (cmd/argocd/commands/admin/settings_rbac.go)
3. API calls
   • API server: authz verification requests (server/account/account.go)
   • RBACName: generate RBAC resource name for API calls (util/security/rbac.go)
4. Buildin policies (assets/builtin-policy.csv)
5. e2e tests (test/e2e/accounts_test.go)

Almost other changes are corresponding adjustment for unit tests

[tcfwbper]

FYI, I had some tests in my local environment.

Setup:

• accounts: admin, tester (non-admin local account)
• appproj: my-project
• app: test-app in argocd (default ns), test-app in my-app-team (any-ns)

Experiment:
adjust policies defined in appproj
a. "my-project/*/test-app"
b. "my-project/my-app-team/test-app"
c. "my-project/argocd/test-app"
d. "my-project/test-app"
then, try to get applications/logs from UI/CLI

Results: all of the results are as expected

Screen.Recording.2026-03-15.at.11.39.38.PM.mov

Screen.Recording.2026-03-15.at.11.55.22.PM.-.Compressed.with.FlexClip.mp4

[afzal442]

Suggested change

	if _, ok := seen[normalizedPolicy]; ok {
	for i, role := range proj.Spec.Roles {
	proj.Spec.Roles[i].Policies = normalizeUniquePolicies(role.Policies, proj.Namespace)
	}

[afzal442]

Suggested change

	// normalizeUniquePolicies normalizes and deduplicates a slice of policy strings.
	func normalizeUniquePolicies(policies []string, namespace string) []string {
	watched := make(map[string]struct{}, len(policies))
	result := make([]string, 0, len(policies))
	for _, policy := range policies {
	normalized := rbac.NormalizePolicy(policy, namespace)
	if _, ok := watched[normalized]; ok {
	continue
	}
	watched[normalized] = struct{}{}
	result = append(result, normalized)
	}
	return result
	}

[afzal442]

LGTM! Work like a charm. 🎉 Thanks @tcfwbper

[afzal442]

@ishitasequeira tagged you since you reviewed the approach