diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml
index 132126a..7653f1b 100644
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@@ -815,6 +815,10 @@ server:
       name: argo-workflows-sso
       key: client-secret
     redirectUrl: https://workflows.peterg.nl/oauth2/callback
+    scopes:
+      - groups
+    rbac:
+      enabled: true
 
   # -- Extra containers to be added to the server deployment
   extraContainers: []
@@ -850,30 +854,36 @@ server:
     successThreshold: 1
 
 # -- Array of extra K8s manifests to deploy
-extraObjects: []
-  # - apiVersion: secrets-store.csi.x-k8s.io/v1
-  #   kind: SecretProviderClass
-  #   metadata:
-  #     name: argo-server-sso
-  #   spec:
-  #     provider: aws
-  #     parameters:
-  #       objects: |
-  #         - objectName: "argo/server/sso"
-  #           objectType: "secretsmanager"
-  #           jmesPath:
-  #               - path: "client_id"
-  #                 objectAlias: "client_id"
-  #               - path: "client_secret"
-  #                 objectAlias: "client_secret"
-  #     secretObjects:
-  #     - data:
-  #       - key: client_id
-  #         objectName: client_id
-  #       - key: client_secret
-  #         objectName: client_secret
-  #       secretName: argo-server-sso-secrets-store
-  #       type: Opaque
+extraObjects:
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: admin-user
+      annotations:
+        # The rule is an expression used to determine if this service account
+        # should be used.
+        # * `groups` - an array of the OIDC groups
+        # * `iss` - the issuer ("argo-server")
+        # * `sub` - the subject (typically the username)
+        # Must evaluate to a boolean.
+        # If you want an account to be the default to use, this rule can be "true".
+        # Details of the expression language are available in
+        # https://expr-lang.org/docs/language-definition.
+        workflows.argoproj.io/rbac-rule: "'admin' in groups"
+        # The precedence is used to determine which service account to use when
+        # Precedence is an integer. It may be negative. If omitted, it defaults to "0".
+        # Numerically higher values have higher precedence (not lower, which maybe
+        # counter-intuitive to you).
+        # If two rules match and have the same precedence, then which one used will
+        # be arbitrary.
+        workflows.argoproj.io/rbac-rule-precedence: "1"
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+    name: read-only
+    annotations:
+      workflows.argoproj.io/rbac-rule: "true"
+      workflows.argoproj.io/rbac-rule-precedence: "0"
 
 # -- Use static credentials for S3 (eg. when not using AWS IRSA)
 useStaticCredentials: true