Granular RBAC can be applied and enforced on cloud objects using the field restrict_cloud_read_access in controllerproperties using the CLI.

This field is set to False by default. To enforce label-based permissions on cloud objects, set the field restrict_cloud_read_access to True as shown below.

[admin:ctrl]: > configure controller properties
[admin:ctrl]: controllerproperties> restrict_cloud_read_access
Overwriting the previously entered value for restrict_cloud_read_access
[admin:ctrl]: controllerproperties> save