To make this management easier, Jenkins X creates a new Custom Resource called EnvironmentRoleBinding which allows you to associate a Role labeled with jenkins.io/kind=EnvironmentRole with as many Users or ServiceAccounts as you like. As Environments are created or the Role or EnvironmentRoleBinding in the Dev environment is modified, the role controller ensures that the configuration is replicated to all the environment namespaces by creating or updating all of the Role and RoleBindings per namespace.
Roles are per Team so it is possible to have special roles per team, or to use common names for roles but have them customized for each team.
Security Implications for the admin namespace
Jenkins X stores various configuration and settings (e.g., Users, Teams) in the main admin namespace (jx). Be careful when granting roles in the default jx team as allowing users to edit some of these files may allow them to escalate their permissions.
Instead of granting non-admin users access to the jx namespace, create teams and grant users access to those when using a shared cluster.
Jenkins X ships with a collection of default Role objects you can use in the jenkins-x-platform template. You can create your own if you wish, but any edits may be lost when Jenkins X is upgraded.