diff --git a/charts/base-cluster/ci/rbac-emails-values.yaml b/charts/base-cluster/ci/rbac-emails-values.yaml
new file mode 100644
index 0000000000..e2cc2cab95
--- /dev/null
+++ b/charts/base-cluster/ci/rbac-emails-values.yaml
@@ -0,0 +1,49 @@
+global:
+  namespaces:
+    my-fav-ns: {}
+    my-second-fav-nv: {}
+rbac:
+  roles:
+    admin:
+      - apiGroups:
+          - metrics.k8s.io
+        resources:
+          - pods
+        verbs:
+          - get
+          - patch
+      - apiGroups:
+          - '*'
+        resources:
+          - '*'
+        verbs:
+          - '*'
+      - nonResourceURLs:
+          - '*'
+        verbs:
+          - '*'
+    edit:
+      - apiGroups:
+          - ''
+        resources:
+          - pods
+        verbs:
+          - update
+          - patch
+  accounts:
+    test@example.com:
+      roles:
+        edit:
+          - my-fav-ns
+      clusterRoles:
+        - admin
+    test2:
+      roles:
+        admin:
+          - my-fav-ns
+        edit:
+          - my-fav-ns
+          - my-second-fav-nv
+      clusterRoles:
+        - edit
+        - admin
diff --git a/charts/base-cluster/ci/rbac-values.yaml b/charts/base-cluster/ci/rbac-values.yaml
index 76024bba7c..8e6919f6f3 100644
--- a/charts/base-cluster/ci/rbac-values.yaml
+++ b/charts/base-cluster/ci/rbac-values.yaml
@@ -2,8 +2,6 @@ global:
   namespaces:
     my-fav-ns: {}
     my-second-fav-nv: {}
-  clusterName: test
-  serviceLevelAgreement: None
 rbac:
   roles:
     admin:
@@ -49,6 +47,3 @@ rbac:
       clusterRoles:
         - edit
         - admin
-monitoring:
-  grafana:
-    adminPassword: test
diff --git a/charts/base-cluster/templates/NOTES.txt b/charts/base-cluster/templates/NOTES.txt
index 08f6b2784a..1163ad98cc 100644
--- a/charts/base-cluster/templates/NOTES.txt
+++ b/charts/base-cluster/templates/NOTES.txt
@@ -43,7 +43,7 @@ Password: $ kubectl -n monitoring get secret {{ $secretName | quote }} -o json |
 {{- if .Values.rbac.accounts }}
 
 ===
-Use the following commands to create a kubeconfig for an account;
+Use the following commands to create a kubeconfig for an account if it's not a user with an email, for that you use OIDC as per your hoster;
 
 function generateKubeconfig() {
   local user="${1?Missing user parameter}"
@@ -71,5 +71,6 @@ users:
 EOF
 }
 
+# example usage:
 $ generateKubeconfig {{ .Values.rbac.accounts | keys | first }}
 {{- end -}}
diff --git a/charts/base-cluster/templates/rbac/accounts.yaml b/charts/base-cluster/templates/rbac/accounts.yaml
index f75cceffef..99b7abde49 100644
--- a/charts/base-cluster/templates/rbac/accounts.yaml
+++ b/charts/base-cluster/templates/rbac/accounts.yaml
@@ -1,5 +1,6 @@
 {{- range $name := .Values.rbac.accounts | keys -}}
   {{- $fullName := printf "%s-%s" (include "common.names.fullname" $) $name -}}
+  {{- if not (contains "@" $name) -}}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -19,4 +20,5 @@ metadata:
   annotations:
     kubernetes.io/service-account.name: {{ $fullName }}
 type: kubernetes.io/service-account-token
-{{ end -}}
\ No newline at end of file
+  {{ end -}}
+{{- end -}}
diff --git a/charts/base-cluster/templates/rbac/roleBindings.yaml b/charts/base-cluster/templates/rbac/roleBindings.yaml
index 309428e5d0..b948c3c1b1 100644
--- a/charts/base-cluster/templates/rbac/roleBindings.yaml
+++ b/charts/base-cluster/templates/rbac/roleBindings.yaml
@@ -1,6 +1,19 @@
 {{- $roles := include "base-cluster.rbac.roles" (dict "accounts" .Values.rbac.accounts "roles" (.Values.rbac.roles | keys) "namespaces" (include "base-cluster.enabled-namespaces" . | fromYaml | keys)) | fromYaml -}}
 {{- $definedRoles := .Values.rbac.roles | keys -}}
 
+{{- define "base-cluster.rbac.subjects" -}}
+  {{- $_ := mustMerge . (pick .context "Release") -}}
+  {{- $subjects := list -}}
+  {{- range $account := .accounts -}}
+    {{- if contains "@" $account -}}
+      {{- $subjects = append $subjects (dict "kind" "User" "name" $account) -}}
+    {{- else -}}
+      {{- $subjects = append $subjects (dict "kind" "ServiceAccount" "namespace" $.Release.Namespace "name" (printf "%s-%s" (include "common.names.fullname" $.context) $account)) -}}
+    {{- end -}}
+  {{- end }}
+  {{- toYaml $subjects -}}
+{{- end -}}
+
 {{- range $roleName, $roleMapping := $roles -}}
   {{- $clusterMapping := dig "clusterMapping" (dict) $roleMapping -}}
   {{- $namespaceMapping := dig "namespaceMapping" (dict) $roleMapping -}}
@@ -15,12 +28,7 @@ metadata:
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
     app.kubernetes.io/component: rbac
   namespace: {{ $namespace }}
-subjects:
-    {{- range $account := $accounts }}
-  - kind: ServiceAccount
-    namespace: {{ $.Release.Namespace }}
-    name: {{ printf "%s-%s" (include "common.names.fullname" $) $account }}
-    {{- end }}
+subjects: {{- include "base-cluster.rbac.subjects" (dict "accounts" $accounts "context" $) | nindent 2 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -34,12 +42,7 @@ metadata:
   name: {{ $roleBindingFullName }}
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
     app.kubernetes.io/component: rbac
-subjects:
-    {{- range $account := $clusterMapping }}
-  - kind: ServiceAccount
-    namespace: {{ $.Release.Namespace }}
-    name: {{ printf "%s-%s" (include "common.names.fullname" $) $account }}
-    {{- end }}
+subjects: {{- include "base-cluster.rbac.subjects" (dict "accounts" $clusterMapping "context" $) | nindent 2 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole