The only way for us to enable RBAC on environment related secrets is via OPA policies but this requires us to list individual users with the policy and does not support AD groups.

We're requesting support for AD groups.