Customers would like the ability to restrict a delegate’s usage to a defined set of projects/pipelines, even when those projects span across multiple orgs.

Currently, if a delegate is scoped at the account level, it is technically available for all projects and teams. The only workaround today is to place all projects into a dedicated org and scope the delegate there. This is not feasible when the customer’s setup spans multiple orgs.

Sample Use Case:

Customer has a team that purchased dedicated hardware for CI builds. This hardware should only be used by specific pipelines/projects owned by that team, but their projects span across multiple orgs, so creating a single org to scope the delegate is not an option.

Current Behavior:

Delegates scoped at the account level are available to all projects. No way to enforce restrictions using OPA, RBAC, or other policy mechanisms.

Requested Behavior:

Ability to explicitly restrict which orgs/projects/pipelines can use a delegate, even if the delegate is scoped at the account level.