We have configured our repository (Artifactory) connector at the account level, so that it can be shared among all orgs and projects. We are also encouraging developers to create service accounts (for example to be used in pipeline triggers) at the project level, so to follow the principle of lowest privilege. The problem is, if service account is created at project level, there is no way to grant access to Artifactory connector at the account level. That forces connector duplication.

This request is to fix it. Create a method to allow service accounts be granted permissions to the objects at the "higher" level.

Currently you can give a user privileges at each scope as they are provisioned at the account level but can be "re-provisioned" at the org or project scope. This isn't the case for Service Accounts so if you have a need for a service account managing an org or project also needing any account level permissions you must create all of the access at account level and use resource groups to target the relevant org/project. It would be much better to treat service accounts the same as users so they can be re-permissioned at the scopes you would like the service account to access.

Our use case example is we share a github connector at account level but want org admin and project admin service accounts. These latter accounts can't be used as they cannot create triggers because the shared github connector/secret permissions are not available to the account and therefore it can't create the trigger in the github repo. This means we now have a much more complex service account setup just for one shared connector/secret

Another option could be to allow service accounts at a lower scope be granted higher scope permissions but I think this would be more confusing than a cascading account option

It would be extremely helpful to have org-level connectors visible in a "read-only" way within projects within that org. Currently, if we give developers access to work within a project, we have to give them access to read objects within the org as well (the most prevalent being connectors). It would be extremely beneficial if these objects were shown in a read-only fashion within their org's projects to make it more clear what objects are actually available within a project for its pipelines.

User would like to see a feature where service accounts on the project-level are provided permissions to account-level resources such as templates. This would be for a use-case where there are hundreds of templates being used by multiple projects and would need access to these templates.