I have a use case where I need to limit certain catalog items to specific teams within the same tenant. For example, only network team can access Catalog Items related to network. From the other side, I do not want to limit the team’s access to tenant resources such as virtual machines, hosts and actions on the resources can be controlled by roles and assigned to specific groups.
I know that we have tags to control access to catalog items, but in this case I will need to tag all the objects and not only catalog items. There is no mechanism to limit the tagging scope only to a Service Catalog.
Is there any other aproach to achieve the goal?