Chapter 5. Managing access with role based access control
Role-based access control (RBAC) restricts user access based on their role within an organization to which they are assigned in Ansible Automation Platform. The roles in RBAC refer to the levels of access that users have to the Ansible Automation Platform components and resources.
You can control what users can do with the components of Ansible Automation Platform at a broad or granular level depending on your RBAC policy. You can designate whether the user is a system administrator or normal user and align roles and access permissions with their positions within the organization.
Roles can be defined with multiple permissions that can then be assigned to resources, teams and users. The permissions that make up a role dictate what the assigned role allows. Permissions are allocated with only the access needed for a user to perform the tasks appropriate for their role.
5.1. Organizations
An organization is a logical collection of users, teams, and resources. It is the highest level object in the Ansible Automation Platform object hierarchy. After you have created an organization, Ansible Automation Platform displays the organization details. You can then manage access and execution environments for the organization. Ansible Automation Platform automatically creates a default organization and the system administrator is automatically assigned to this organization. If you have a Self-support level license, you have only the default organization available and must not delete it.
5.1.1. Organizations list view
The Organizations page displays the existing organizations for your installation. From here, you can search for a specific organization, filter the list of organizations, or change the sort order for the list.
Procedure
-
From the navigation panel, select
. - In the Search bar, enter an appropriate keyword for the organization you want to search for and click the arrow icon.
- From the menu bar, you can sort the list of organizations by using the arrows for Name to toggle your sorting preference.
- You can also sort the list by selecting Name, Created or Last modified from the Sort list.
- You can view organization details by clicking an organization Name on the Organizations page.
5.1.2. Creating an organization
Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and cannot delete it.
Procedure
-
From the navigation panel, select
. - Click .
Enter the Name and optionally provide a Description for your organization.
NoteIf automation controller is enabled on the platform, continue with Step 4. Otherwise, proceed to Step 6.
- Select the name of the Execution environment or search for one that exists that members of this team can run automation.
- Enter the name of the Instance Groups on which to run this organization.
- Optional: Enter the Galaxy credentials or search from a list of existing ones.
Select the Max hosts for this organization. The default is 0. When this value is 0, it signifies no limit. If you try to add a host to an organization that has reached or exceeded its cap on hosts, an error message displays:
You have already reached the maximum number of 1 hosts allowed for your organization. Contact your System Administrator for assistance.
- Click .
If you selected more than 1 instance group, you can manage the order by dragging and dropping the instance group up or down in the list and clicking
.NoteThe execution precedence is determined by the order in which the instance groups are listed.
- Click and verify the organization settings.
- Click .
5.1.3. Access to organizations
You can manage access to an organization by selecting an organization from the Organizations list view and selecting the associated tabs for providing access to Users, Administrators or Teams.
5.1.3.1. Adding a user to an organization
You can provide a user with access to an organization by adding them to the organization and managing the roles associated with the user. To add a user to an organization, the user must already exist. For more information, see Creating a user. To add roles for a user, the role must already exist. See Creating a role for more information.
The following tab selections are available when adding users to an organization. When user accounts from the automation controller organization have been migrated to Ansible Automation Platform 2.5 during the upgrade process, the Automation Execution tab shows content based on whether the users were added to the organization prior to migration.
- Ansible Automation Platform
- Reflects all users added to the organization at the platform level. From this tab, you can add users as organization members and, optionally provide specific organization level roles.
- Automation Execution
- Reflects users that were added directly to the automation controller organization prior to an upgrade and migration. From this tab, you can only view existing memberships in automation controller and remove those memberships but not you can not add new memberships.
New user memberships to an organization must be added at the platform level.
Procedure
-
From the navigation panel, select
. - From the Organizations list view, select the organization to which you want to add a user.
- Click the Users tab to add users.
- Select the Ansible Automation Platform tab and click to add user access to the team, or select the Automation Execution tab to view or remove user access from the team.
- Select one or more users from the list by clicking the checkbox next to the name to add them as members.
- Click .
Select the roles you want the selected user to have. Scroll down for a complete list of roles.
NoteIf you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.
- Click to review the roles settings.
Click Add roles dialog displays the updated roles assigned for each user.
to apply the roles to the selected users, and to add them as members. TheNoteA user with associated roles retains them if they are reassigned to another organization.
- To remove a particular user from the organization, select Remove user from the More actions ⋮ list next to the user. This launches a confirmation dialog, asking you to confirm the removal.
- To manage roles for users in an organization, click the ⚙ icon next to the user and select Manage roles.
5.1.3.2. Adding an administrator to an organization
You can add administrators to an organization which allows them to manage the membership and settings of the organization. For example, they can create new users and teams within the organization, and grant permission to users within the organization. To add an administrator to an organization, the user must already exist.
Procedure
-
From the navigation panel, select
. - From the Organizations list view, select the organization to which you want to add a user, administrator, or team.
- Click the Administrators tab.
- Click .
- Select the users from the list by clicking the checkbox next to the name to assign the administrator role to them for this organization.
- Click .
To remove a particular administrator from the organization, select Remove administrator from the More actions ⋮ list next to the administrator name. This launches a confirmation dialog, asking you to confirm the removal.
NoteIf the user had previously been added as a member to this organization, they will continue to be a member of this organization. However, if they were added to the organization when the administrator assignment was made, they will be removed from the organization.
5.1.3.3. Adding a team to an organization
You can provide team access to an organization by adding roles to the team. To add roles to a team, the team must already exist in the organization. For more information, see Creating a team. To add roles for a team, the role must already exist. See Creating a role for more information.
Procedure
-
From the navigation panel, select
. - From the Organizations list view, select the organization to which you want to add team access.
- Click the Teams tab. If no teams exist, click to create a team and add it to this organization.
- Click .
Select the roles you want the selected team to have. Scroll down for a complete list of roles.
NoteIf you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.
- Click to review the roles settings.
- Click to apply the roles to the selected teams. The Add roles dialog displays the updated roles assigned for each team.
Click
.NoteA team with associated roles retains them if they are reassigned to another organization.
- To manage roles for teams in an organization, click the ⚙ icon next to the user and select Manage roles.
5.1.3.4. Deleting an organization
Before you can delete an organization, you must be an Organization administrator or System administrator. When you delete an organization, the organization, team, users and resources are permanently removed from Ansible Automation Platform.
When you attempt to delete items that are used by other resources, a message is displayed warning you that the deletion might impact other resources and prompts you to confirm the deletion. Some screens contain items that are invalid or have been deleted previously, and will fail to run.
Procedure
-
From the navigation panel, select
. - Click the ⋮ icon next to the organization you want removed and select Delete organization.
Select the confirmation checkbox and click
to proceed with the deletion. Otherwise, click .NoteYou can delete multiple organizations by selecting the checkbox next to each organization you want to remove, and selecting Delete selected organizations from the More actions ⋮ list on the menu bar.
5.1.4. Working with notifiers
When automation controller is enabled on the platform, you can review any notifier integrations you have set up and manage their settings within the organization resource.
Procedure
-
From the navigation panel, select
. - From the Organizations list view, select the organization to which you want to manage notifications.
- Select the Notification tab.
- Use the toggles to enable or disable the notifications to use with your particular organization. For more information, see Enable and disable notifications.
-
If no notifiers have been set up, select
from the navigation panel.
For information on configuring notification types, see Notification types.
5.1.5. Working with execution environments
When automation controller is enabled on the platform, you can review any execution environments you have set up and manage their settings within the organization resource.
For more information about execution environments, see Execution environments in Using automation execution guide.
Procedure
-
From the navigation panel, select
. - From the Organizations list view, select the organization whose execution environments you want to manage.
- Select the Execution Environments tab.
-
If no execution environments are available, click
. to create one. Alternatively, you can create an execution environment from the navigation panel by selecting Click
.NoteAfter creating a new execution environments, return to
and select the organization in which you created the execution environment to update the list on that tab. - Select the execution environments to use with your particular organization.
5.2. Teams
A team is a subdivision of an organization with associated users, and resources. Teams provide a means to implement role-based access control schemes and delegate responsibilities across organizations. For instance, you can grant permissions to a Team rather than each user on the team.
You can create as many teams as needed for your organization. Teams can only be assigned to one organization while an organization can be made up of multiple teams. Each team can be assigned roles, the same way roles are assigned for users. Teams can also scalably assign ownership for credentials, preventing multiple interface click-throughs to assign the same credentials to the same user.
5.2.1. Teams list view
The Teams page displays the existing teams for your installation. From here, you can search for a specific team, filter the list of teams by team name or organization, or change the sort order for the list.
Procedure
-
From the navigation panel, select
. - In the Search bar, enter an appropriate keyword for the team you want to search for and click the arrow icon.
- From the menu bar, you can sort the list of teams by using the arrows for Name and Organization to toggle your sorting preference.
- You can view team details by clicking a team Name on the Teams page.
- You can view organization details by clicking the link in the Organization column.
5.2.2. Creating a team
You can create new teams, assign an organization to the team, and manage the users and administrators associated with each team. Users associated with a team inherit the permissions associated with the team and any organization permissions to which the team has membership.
To add a user or administrator to a team, the user must have already been created.
Procedure
-
From the navigation panel, select
. - Click .
- Enter a Name and optionally give a Description for the team.
Select an Organization to be associated with this team.
NoteEach team can only be assigned to one organization.
Click
.The Details page opens, where you can review and edit your team information.
5.2.3. Adding users to a team
To add a user to a team, the user must already have been created. For more information, see Creating a user. Adding a user to a team adds them as a member only. Use the Roles tab to assign a role for different resources to the selected team.
The following tab selections are available when adding users to a team. When user accounts from automation controller or automation hub organizations have been migrated to Ansible Automation Platform 2.5 during the upgrade process, the Automation Execution and Automation Content tabs show content based on whether the users were added to those organizations prior to migration.
- Ansible Automation Platform
- Reflects all users added to the organization at the platform level. From this tab, you can add users as organization members and, optionally provide specific organization level roles.
- Automation Execution
- Reflects users that were added directly to the automation controller organization prior to an upgrade and migration. From this tab, you can only view existing memberships in automation controller and remove those memberships but you can not add new memberships. New organization memberships must be added through the platform.
- Automation Content
- Reflects users that were added directly to the automation hub organization prior to an upgrade and migration. From this tab, you can only view existing memberships in automation hub and remove those memberships but you can not add new memberships.
New user memberships to a team must be added at the platform level.
Procedure
-
From the navigation panel, select
. - Select the team to which you want to add users.
- Select the Users tab.
- Select the Ansible Automation Platform tab and click to add user access to the team, or select the Automation Execution or Automation Content tab to view or remove user access from the team.
- Select one or more users from the list by clicking the checkbox next to the name to add them as members of this team.
- Click .
5.2.4. Removing users from a team
You can remove a user from a team from the Team list view.
Procedure
-
From the navigation panel, select
. - Select the team from which you want to remove users.
- Select the Users tab.
- Click the Remove user icon next to the user you want to remove as a member of the team.
You can delete multiple users by selecting the checkbox next to each user you want to remove, and selecting Remove selected users from the More actions ⋮ list.
NoteIf the user is a Team administrator, you can remove their membership to the team from the Administrators tab.
This launches a confirmation dialog, asking you to confirm the removal.
5.2.5. Adding administrators to a team
You can add administrators to a team which allows them to manage the membership and settings of that team. For example, they can create new users and grant permission to users within the team. To add an administrator to a team, the administrator must already have been created. For more information, see Creating a user.
Procedure
-
From the navigation panel, select
. - Select the team to which you want to add an administrator.
- Select the Administrators tab and click .
- Select one or more users from the list by clicking the checkbox next to the name to add them as administrators of this team.
- Click .
5.2.6. Adding roles to a team
You can assign permissions to teams, such as edit and administer resources and other elements. You can set permissions through an inventory, project, job template and other resources, or within the Organizations view.
Procedure
-
From the navigation panel, select
. - Select the team Name to which you want to add roles.
Select the Roles tab and click .
NoteIf you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.
- Select a Resource type and click .
- Select the resources to receive the new roles and click .
- Select the roles to apply to the resources and click .
Review the settings and click
.The Add roles dialog displays indicating whether the role assignments were successfully applied, click
to close the dialog.
5.2.7. Removing roles from a team
You can remove roles from a team by selecting the - icon next to the resource. This launches a confirmation dialog, asking you to confirm the removal.
Procedure
-
From the navigation panel, select
. - Select the team Name from which you want to remove roles.
Select the Roles tab.
NoteIf you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.
- Select the checkbox next to each resource you want to remove and click Remove selected roles from the ⋮ list on the menu bar.
- Select the checkbox to confirm removal of the selected roles and click Remove role.
5.2.8. Deleting a team
Before you can delete a team, you must have team permissions. When you delete a team, the inherited permissions members got from that team are revoked.
Procedure
-
From the navigation panel, select
. - Select the check box for the team that you want to remove.
Select the ⋮ icon and select Delete team.
NoteYou can delete multiple teams by selecting the checkbox next to each team you want to remove, and selecting Delete teams from the More actions ⋮ list.
5.3. Users
Users associated with an organization are shown in the Users tab of the organization.
You can add other users to an organization, including a normal user or system administrator, but first, you must create them.
Ansible Automation Platform automatically creates a default admin user so they can log in and set up Ansible Automation Platform for their organization. This user can not be deleted or modified.
You can sort or search the User list by Username, First name, Last name, or Email. Click the arrows in the header to toggle your sorting preference. You can view User type and Email beside the user name on the Users page.
5.3.1. Users list view
The Users page displays the existing users for your installation. From here, you can search for a specific user, filter the list of users, or change the sort order for the list.
When user accounts have been migrated to Ansible Automation Platform 2.5 during the upgrade process, these accounts are also displayed in the Users list view. Users previously designated as automation controller or automation hub administrators are labeled as Normal in the User type column. You can see whether these users have administrator privileges, by editing the account. See Editing a user for instructions.
Procedure
-
From the navigation panel, select
. - In the Search bar, enter an appropriate keyword for the user you want to search for and click the arrow icon.
- From the menu bar, you can sort the list of users by using the arrows for Username, Email, First name, Last name or Last login to toggle your sorting preference.
- You can view user details by selecting a Username from the Users list view.
5.3.2. Creating a user
There are three types of users in Ansible Automation Platform:
- Normal user
- Normal users have read and write access limited to the resources (such as inventory, projects, and job templates) for which that user has been granted the appropriate roles and privileges. Normal users are the default type of user when no other User type is specified.
- Ansible Automation Platform Administrator
- An administrator (also known as a Superuser) has full system administration privileges — with full read and write privileges over the entire installation. An administrator is typically responsible for managing all aspects of and delegating responsibilities for day-to-day work to various users.
- Ansible Automation Platform Auditor
- Auditors have read-only capability for all objects within the environment.
Procedure
-
From the navigation panel, select
. - Click .
- Enter the details about your new user in the fields on the Create user page. Fields marked with an asterisk (*) are required.
Normal users are the default when no User type is specified. To define a user as an administrator or auditor, select a User type checkbox.
NoteIf you are modifying your own password, log out and log back in again for it to take effect.
- Select the Organization to be assigned for this user. For information about creating a new organization, refer to Creating an organization.
- Click .
When the user is successfully created, the User dialog opens. From here, you can review and modify the user’s Teams, Roles, Tokens and other membership details.
If the user is not newly-created, the details screen displays the last login activity of that user.
If you log in as yourself, and view the details of your user profile, you can manage tokens from your user profile by selecting the Tokens tab For more information, see Adding a token.
5.3.3. Editing a user
You can modify the properties of a user account after it is created.
In upgrade scenarios, there might be pre-existing user accounts from automation controller or automation hub services. When editing these user accounts, the User type checkboxes indicate whether the account had service level administrator privileges. You can revoke or assign administrator permissions for the individual services and designate the user as either an Ansible Automation Platform Administrator, Ansible Automation Platform Auditor or normal user. Assigning administrator privileges to all of the individual services automatically designates the user as an Ansible Automation Platform Administrator. See Creating a user for more information about user types.
To see whether a user had service level auditor privileges, you must refer to the API.
Users previously designated as automation controller or automation hub administrators are labeled as Normal in the User type column in the Users list view. You can see whether these users have administrator privileges, from the Edit Users page.
Procedure
-
From the navigation panel, select
. - Select the check box for the user that you want to modify.
- Click the Pencil icon and select Edit user.
The Edit user page is displayed where you can modify user details such as, Password, Email, User type, and Organization.
NoteIf the user account was migrated to Ansible Automation Platform 2.5 during the upgrade process and had administrator privileges for an individual service, additional User type checkboxes will be available. You can use these checkboxes to revoke or add individual privileges or designate the user as a platform administrator, system auditor or normal user.
- After your changes are complete, click Save user.
5.3.4. Deleting a user
Before you can delete a user, you must have normal user or system administrator permissions. When you delete a user account, the name and email of the user are permanently removed from Ansible Automation Platform.
Procedure
-
From the navigation panel, select
. - Select the checkbox for the user that you want to remove.
Click the ⋮ icon next to the user you want removed and select Delete user.
NoteYou can delete multiple users by selecting the checkbox next to each user you want to remove, and clicking Delete users from the More actions ⋮ list.
5.3.5. Adding roles for a user
You can grant access for users to use, read, or write credentials by assigning roles to them.
Procedure
-
From the navigation panel, select
. - From the Users list view, click on the user to which you want to add roles.
- Select the Roles tab to display the set of roles assigned to this user. These provide the ability to read, modify, and administer resources.
To add new roles, click
.NoteIf you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.
- Select a Resource type and click .
- Select the resources that will receive new roles and click .
- Select the roles that will be applied to the resources and click .
Review the settings and click
.The Add roles dialog displays indicating whether the role assignments were successfully applied. Click
to close the dialog.
5.3.6. Removing roles from a user
You can remove roles from a user by selecting the - icon next to the resource. This launches a confirmation dialog, asking you to confirm the removal.
Procedure
-
From the navigation panel, select
. - Select the user Name from which you want to remove roles.
Select the Roles tab.
NoteIf you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.
- Select the checkbox next to each resource you want to remove and click Remove selected roles from the More actions ⋮ list on the menu bar.
- Select the checkbox to confirm removal of the selected roles and click .
5.4. Resources
You can manage user access to Ansible Automation Platform resources and what users can do with those resources. Users are granted access through the roles to which they are assigned or through roles inherited through the role hierarchy, for example, through the roles they inherit through team membership. Ansible Automation Platform resources differ depending on the functionality you are configuring. For example, resources can be job templates and projects for automation execution or decision environments and rulebook activations for automation decisions.
5.4.1. Providing team access to a resource
You can grant users access based on their team membership. When you add a user as a member of a team, they inherit access to the roles and resources defined for that team.
Procedure
-
From the navigation panel, select a resource to which you want to provide team access. For example,
. - Select the Team Access tab.
- Click .
- Click the checkbox beside the team to assign that team to your chosen type of resource and click .
- Select the roles you want applied to the team for the chosen resource and click .
- Review the settings and click . The Add roles dialog displays indicating whether the role assignments were successfully applied.
- You can remove resource access for a team by selecting the Remove role icon next to the team. This launches a confirmation dialog, asking you to confirm the removal.
5.4.2. Providing user access to a resource
You can grant users access to resources through the roles to which they are assigned.
Procedure
-
From the navigation panel, select a resource to which you want to provide team access. For example,
. - Select the User access tab.
- Click .
- Click the checkbox beside the user to assign that user to your chosen type of resource and click .
- Select the roles you want applied to the user for the chosen resource and click .
- Review the settings and click . The Add roles dialog displays indicating whether the role assignments were successfully applied.
- You can remove resource access for a user by selecting the Remove role icon next to the user. This launches a confirmation dialog, asking you to confirm the removal.