It would be useful to have a separation of adminstrative privileges over AM via Amster CLI. The purposed solution works by integrating Amster with Open Policy Agent, thus allowing authenticated amster commands to be authorized or not based on a rego policy file defined in OPA. This can be easily performed via OpenID Connect JWT tokens, and maybe also via SSOTokens.
This way you have absolute fine grained control over who can perform every single administrative action over AM.
The ultimate enhancement would be to limit AM's web console via OPA too. So if a user has "Policy Administration" privileges he/she would only see "Policy Administration" components in the user interface. (e.g. https://youtu.be/XEHeexPpgrA?t=483)