[Feature Request] Global Read Access for Groups on All Namespaces

[deepika-awasthi]

Is your feature request related to a problem? Please describe.

As an administrator, I need to assign a SCIM-synced group the read role on all namespaces within my Temporal Cloud account.

Currently, based on the tcld user-group set-access command's capabilities:

If I assign an --account-role of owner or admin, the group does get access to all namespaces. However, these roles grant full access, which violates the principle of least privilege when I only need read access. If I use other --account-role options (like read, developer, etc., or none), and I want to grant namespace-specific roles, we are forced to use the --namespace-role flag, which requires to explicitly list each namespace (e.g., --namespace-role mynamespace.cwl3n-read). This means there is no current tcld command or role combination that allows to grant read access to all existing and future namespaces and without listing each namespace individually or without granting a full owner or admin account-level role.

Manually list every single namespace. Add a --namespace-role -read for each. Repeatedly update this command every time a new namespace is added to ensure the group maintains read access across all namespaces.

Describe the solution you'd like

Assign a SCIM-synced group the read role to all current and future namespaces without violating the principle of least privilege or incurring manual overhead.

Additional context

Upstart has requested this feature, please find the Zd ticket link below https://temporalsupport.zendesk.com/agent/tickets/13576