Chapter 4. Configuring user access for your private automation hub
You can manage user access to content and features in automation hub by creating groups of users that have specific permissions.
4.1. Implementing user access
User access is based on managing permissions to system objects (users, groups, namespaces) rather than by assigning permissions individually to specific users.
You assign permissions to the groups that you create. You can then assign users to these groups. This means that each user in a group has the permissions assigned to that group.
Groups created in private automation hub can range from system administrators responsible for governing internal collections, configuring user access, and repository management to groups with access to organize and upload internally developed content to the private automation hub.
Additional resources
- See Automation Hub permissions for information on system permissions.
4.1.1. Default user access for private automation hub
When you install automation hub, the system automatically creates the default admin user in the Admin group. The Admin group is assigned all permissions in the system.
The following sections describe the workflows associated with organizing your users who will access private automation hub and providing them with required permissions to reach their goals. See the permissions reference table for a full list and description of all permissions available.
4.1.2. Creating a new group in private automation hub
You can create and assign permissions to a group in private automation hub that enables users to access specified features in the system. By default, the Admin group in the automation hub has all permissions assigned and is available on initial login. Use the credentials created when installing private automation hub.
For more information, see Creating a new group in private automation hub in the Getting started with automation hub guide.
4.1.3. Assigning permissions to groups
By default, new groups do not have any assigned permissions. You can assign permissions to groups in private automation hub that enable users to access specific features in the system.
You can add permissions when first creating a group or edit an existing group to add or remove permissions
For more information, see Assigning permissions to groups in the Getting started with automation hub guide.
4.1.4. Creating new users and giving them permissons
After you create a user in private automation hub, you can give them permissions by adding them to groups. Each group that can access features in the system associated to the level of assigned permissions.
Prerequisites
- You have user permissions and can create users in private automation hub.
Procedure
- Log in to your private automation hub.
-
From the navigation panel, select
. - Click .
- Enter information in the field. Username and Password are required.
- Optional: To assign the user to a group, click the Groups field and select from the list of groups.
- Click .
The new user is now displayed in the list on the Users page.
4.1.5. Creating a super user
If you want to spread administration across your team, you can create a super user in private automation hub.
Prerequisites
- You must be a Super user.
Procedure
- Log in to your private automation hub.
-
From the navigation panel, select
. - Select the user that you want to make a super user. The User details for that user are displayed.
- Under User type, select Super User.
The user now has Super user permissions.
4.1.6. Adding users to existing groups
You can add users to groups when you create a group. But, you can also manually add users to existing groups.
For more information, see Adding users to existing groups in the Getting started with automation hub guide.
4.1.7. Creating a new group for content curators
You can create a new group in private automation hub designed to support content curation in your organization. This group can contribute internally developed collections for publication in private automation hub.
To help content developers create a namespace and upload their internally developed collections to private automation hub, you must first create and edit a group and assign the required permissions.
Prerequisites
- You have administrative permissions in private automation hub and can create groups.
Procedure
- Log in to your private automation hub.
-
From the navigation panel, select
and click . - Enter Content Engineering as a Name for the group in the modal and click . You have created the new group and the Groups page opens.
- On the Permissions tab, click .
- Under Namespaces, add permissions for Add Namespace, Upload to Namespace, and Change Namespace.
Click .
The new group is created with the permissions that you assigned. You can then add users to the group.
- Click the Users tab on the Groups page.
- Click .
- Select users and click .
4.1.8. Automation hub permissions
Permissions provide a defined set of actions each group can perform on a given object. Determine the required level of access for your groups based on the permissions described in this table.
| Object | Permission | Description |
|---|---|---|
| collection namespaces | Add namespace Upload to namespace Change namespace Delete namespace | Groups with these permissions can create, upload collections, and delete a namespace. |
| collections | Modify Ansible repo content Delete collections | Groups with this permission can perform these actions: Move content between repositories by using the Approval feature. Certify or reject features to move content from the staging to published or rejected repositories. Delete collections. |
| users | View user Delete user Add user Change user | Groups with these permissions can manage user configuration and access in private automation hub. |
| groups | View group Delete group Add group Change group | Groups with these permissions can manage group configuration and access in private automation hub. |
| collection remotes | Change collection remote View collection remote |
Groups with these permissions can configure a remote repository by navigating to |
| containers | Change container namespace permissions Change containers Change image tags Create new containers Push to existing containers Delete container repository | Groups with these permissions can manage container repositories in private automation hub. |
| remote registries | Add remote registry Change remote registry Delete remote registry | Groups with these permissions can add, change, or delete remote registries added to private automation hub. |
| task management | Change task Delete task View all tasks | Groups with these permissions can manage tasks added to Task Management in private automation hub. |
4.1.9. Deleting a user from private automation hub
When you delete a user account, the name and email of the user are permanently removed from private automation hub.
Prerequisites
- You have user permissions in private automation hub.
Procedure
- Log in to private automation hub.
-
From the navigation panel, select
. - Click to display a list of the current users.
- Click the icon ⋮ icon beside the user that you want to remove, then click .
- Click in the warning message to permanently delete the user.
4.2. Enable view-only access for your private automation hub
By enabling view-only access, you can grant access for users to view collections or namespaces on your private automation hub without requiring them to log in. View-only access allows you to share content with unauthorized users while restricting their ability to view or download source code. They will not have permissions to edit anything on your private automation hub.
To enable view-only access for your private automation hub, you must edit the inventory file on your Red Hat Ansible Automation Platform installer.
-
If you are installing a new instance of Ansible Automation Platform, add the
automationhub_enable_unauthenticated_collection_accessandautomationhub_enable_unauthenticated_collection_downloadparameters to yourinventoryfile along with your other installation configurations: -
If you are updating an existing Ansible Automation Platform installation to include view-only access, add the
automationhub_enable_unauthenticated_collection_accessandautomationhub_enable_unauthenticated_collection_downloadparameters to yourinventoryfile and then run thesetup.shscript to apply the updates:
Procedure
Navigate to the installer.
- Bundled installer
$ cd ansible-automation-platform-setup-bundle-<latest-version>
- Online installer
$ cd ansible-automation-platform-setup-<latest-version>
-
Open the
inventoryfile with a text editor. Add the
automationhub_enable_unauthenticated_collection_accessandautomationhub_enable_unauthenticated_collection_downloadparameters to the inventory file and set both toTrue, following the example below:[all:vars] automationhub_enable_unauthenticated_collection_access = True 1 automationhub_enable_unauthenticated_collection_download = True 2
-
Run the
setup.shscript. The installer enables view-only access to your private automation hub.
Verification
After the installation is complete, verify that you have view-only access on your private automation hub by attempting to view content on your private automation hub without logging in.
- Navigate to your private automation hub.
- On the login screen, click .
Verify that you are able to view content on your automation hub, such as namespaces or collections, without having to log in.
