Configure Chef Server RBACs to restrict user group to nodes based on environment

Ohai Chefs,

I’m trying to manipulate Chef Server Role Based Access Controls such that, for example, users in the dev group have admin access to nodes in the dev environment, but no other nodes.

From what I can gather, restricting a group to a particular environment only impacts access to the environment object. I’m interested in restricting access to all nodes associated with a particular environment, both existing and new, so that I don’t have to manually update access on a per-node basis.

Is this possible? If so, would appreciate the education. Cheers.

Todd Michael