This is a limitation of how we performed RBAC checks in 3.11. It has been addressed in OpenShift 4.2 where we have switched to SelfSubjectAccessReview requests for more precise checks. https://github.com/openshift/console/pull/1559
4.2.0-0.nightly-2019-07-24-000310 console image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:f58dc76257ca8c4abf49c18cc982a529a0edbb797e921a4a7a02ad6909ac1112 Tried the scenario in comment 1 on ocp 4.2 env with above version with step: 1. Create the both the roles as mentioned in comment 1. 2. Grant both the role to the user to view namespaces/projects and edit configmaps 3. Try logging in to the console and then try editing the configmap. Now the "Save" button on edit yaml page is enabled. Update content in the configmap, then click "Save", it succeeds.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922