Currently roles are configured as a list inside the AtlasProject resource. I propose managing these as individual AtlasRole custom resources instead.

Consider a typical microservice based application with several microservices deployed by individual Helm charts, each sharing the same project and cluster. In this scenario the app developer may want to create custom roles for each app / group of apps with access to certain collections, eg to stop them from being able to read collections with sensitive data

Currently it is possible for apps to create their own users, but those users must assume one or more existing roles. The roles themselves are part of the AtlasProject custom resource, which makes it impossible to bundle roles as part of an application's helm chart. The roles must refer to databases and collections by name but those collections are created by the applications and not necessarily known at the time the cluster is created. This means the project config must be updated each time a new application requiring a custom role is added.

To make role management easier, you could create an AtlasRole custom resource which would allow roles to be added and removed when installing the applications that utilise them and not require edits to the AtlasProject config.