Search
SupportConsoleDevelopersStart a trialContact

Chapter 5. Managing access with role based access control

download PDF

Role-based access control (RBAC) restricts user access based on their role within an organization to which they are assigned in Ansible Automation Platform. The roles in RBAC refer to the levels of access that users have to the Ansible Automation Platform components and resources.

You can control what users can do with the components of Ansible Automation Platform at a broad or granular level depending on your RBAC policy. You can designate whether the user is a system administrator or normal user and align roles and access permissions with their positions within the organization.

Roles can be defined with multiple permissions that can then be assigned to resources, teams and users. The permissions that make up a role dictate what the assigned role allows. Permissions are allocated with only the access needed for a user to perform the tasks appropriate for their role.

5.1. Organizations

An organization is a logical collection of users, teams, and resources. It is the highest level object in the Ansible Automation Platform object hierarchy. After you have created an organization, Ansible Automation Platform displays the organization details. You can then manage access and execution environments for the organization. Ansible Automation Platform automatically creates a default organization and the system administrator is automatically assigned to this organization. If you have a Self-support level license, you have only the default organization available and must not delete it.

5.1.1. Organizations list view

The Organizations page displays the existing organizations for your installation. From here, you can search for a specific organization, filter the list of organizations, or change the sort order for the list.

Procedure

  1. From the navigation panel, select menu:Access Management Organizations.
  2. In the Search bar, enter an appropriate keyword for the organization you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of organizations by using the arrows for Name to toggle your sorting preference.
  4. You can also sort the list by selecting Name, Created or Last modified from the Sort list.
  5. You can view organization details by clicking an organization Name on the Organizations page.

5.1.2. Creating an organization

Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and cannot delete it.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. Click Create organization.

  3. Enter the Name and optionally provide a Description for your organization.

    Note

    If automation controller is enabled on the platform, continue with Step 4. Otherwise, proceed to Step 6.

  4. Select the name of the Execution environment or search for one that exists that members of this team can run automation.
  5. Enter the name of the Instance Groups on which to run this organization.
  6. Optional: Enter the Galaxy credentials or search from a list of existing ones.

  7. Select the Max hosts for this organization. The default is 0. When this value is 0, it signifies no limit. If you try to add a host to an organization that has reached or exceeded its cap on hosts, an error message displays: 

    You have already reached the maximum number of 1 hosts allowed for your organization. Contact your System Administrator for assistance.
  8. Click Next.

  9. If you selected more than 1 instance group, you can manage the order by dragging and dropping the instance group up or down in the list and clicking Confirm.

    Note

    The execution precedence is determined by the order in which the instance groups are listed.

  10. Click Next and verify the organization settings.
  11. Click Finish.

5.1.3. Access to organizations

You can manage access to an organization by selecting an organization from the Organizations list view and selecting the associated tabs for providing access to Users, Administrators or Teams.

5.1.3.1. Adding a user to an organization

You can provide a user with access to an organization by adding them to the organization and managing the roles associated with the user. To add a user to an organization, the user must already exist. For more information, see Creating a user. To add roles for a user, the role must already exist. See Creating a role for more information.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to add a user.
  3. Click the Users tab to add users.
  4. Click Add users and select one or more users from the list by clicking the checkbox next to the name to add them as members.
  5. Click Next.

  6. Select the roles you want the selected user to have. Scroll down for a complete list of roles.

    Note

    If you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.

  7. Click Next to review the roles settings.

  8. Click Finish to apply the roles to the selected users, and to add them as members. The Add roles dialog displays the updated roles assigned for each user.

    Note

    A user with associated roles retains them if they are reassigned to another organization.

  9. To remove a particular user from the organization, select Remove user from the More actions ⋮ list next to the user. This launches a confirmation dialog, asking you to confirm the removal.
  10. To manage roles for users in an organization, click the icon next to the user and select Manage roles.

5.1.3.2. Adding an administrator to an organization

You can add administrators to an organization which allows them to manage the membership and settings of the organization. For example, they can create new users and teams within the organization, and grant permission to users within the organization. To add an administrator to an organization, the user must already exist.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to add a user, administrator, or team.
  3. Click the Administrators tab.
  4. Click Add administrators.
  5. Select the users from the list by clicking the checkbox next to the name to assign the administrator role to them for this organization.
  6. Click Add administrators.

  7. To remove a particular administrator from the organization, select Remove administrator from the More actions ⋮ list next to the administrator name. This launches a confirmation dialog, asking you to confirm the removal.

    Note

    If the user had previously been added as a member to this organization, they will continue to be a member of this organization. However, if they were added to the organization when the administrator assignment was made, they will be removed from the organization.

5.1.3.3. Adding a team to an organization

You can provide team access to an organization by adding roles to the team. To add roles to a team, the team must already exist in the organization. For more information, see Creating a team. To add roles for a team, the role must already exist. See Creating a role for more information.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to add team access.
  3. Click the Teams tab. If no teams exist, click Create team to create a team and add it to this organization.
  4. Click Add roles.

  5. Select the roles you want the selected team to have. Scroll down for a complete list of roles.

    Note

    If you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.

  6. Click Next to review the roles settings.
  7. Click Finish to apply the roles to the selected teams. The Add roles dialog displays the updated roles assigned for each team.

  8. Click Close.

    Note

    A team with associated roles retains them if they are reassigned to another organization.

  9. To manage roles for teams in an organization, click the icon next to the user and select Manage roles.

5.1.3.4. Deleting an organization

Before you can delete an organization, you must be an Organization administrator or System administrator. When you delete an organization, the organization, team, users and resources are permanently removed from Ansible Automation Platform.

Note

When you attempt to delete items that are used by other resources, a message is displayed warning you that the deletion might impact other resources and prompts you to confirm the deletion. Some screens contain items that are invalid or have been deleted previously, and will fail to run.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. Click the icon next to the organization you want removed and select Delete organization.

  3. Select the confirmation checkbox and click Delete organizations to proceed with the deletion. Otherwise, click Cancel.

    Note

    You can delete multiple organizations by selecting the checkbox next to each organization you want to remove, and selecting Delete selected organizations from the More actions ⋮ list on the menu bar.

5.1.4. Working with notifiers

When automation controller is enabled on the platform, you can review any notifier integrations you have set up and manage their settings within the organization resource.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to manage notifications.
  3. Select the Notification tab.
  4. Use the toggles to enable or disable the notifications to use with your particular organization. For more information, see Enable and disable notifications.
  5. If no notifiers have been set up, select Automation Execution Administration Notifiers from the navigation panel.

For information on configuring notification types, see Notification types.

5.1.5. Working with execution environments

When automation controller is enabled on the platform, you can review any execution environments you have set up and manage their settings within the organization resource.

For more information about execution environments, see Execution environments in Using automation execution guide.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization whose execution environments you want to manage.
  3. Select the Execution Environments tab.
  4. If no execution environments are available, click Create execution environment to create one. Alternatively, you can create an execution environment from the navigation panel by selecting Automation Execution Infrastructure Execution Environments.

  5. Click Create execution environment.

    Note

    After creating a new execution environments, return to Access Management Organizations and select the organization in which you created the execution environment to update the list on that tab.

  6. Select the execution environments to use with your particular organization.

5.2. Teams

A team is a subdivision of an organization with associated users, and resources. Teams provide a means to implement role-based access control schemes and delegate responsibilities across organizations. For instance, you can grant permissions to a Team rather than each user on the team.

You can create as many teams as needed for your organization. Teams can only be assigned to one organization while an organization can be made up of multiple teams. Each team can be assigned roles, the same way roles are assigned for users. Teams can also scalably assign ownership for credentials, preventing multiple interface click-throughs to assign the same credentials to the same user.

5.2.1. Teams list view

The Teams page displays the existing teams for your installation. From here, you can search for a specific team, filter the list of teams by team name or organization, or change the sort order for the list.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. In the Search bar, enter an appropriate keyword for the team you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of teams by using the arrows for Name and Organization to toggle your sorting preference.
  4. You can view team details by clicking a team Name on the Teams page.
  5. You can view organization details by clicking the link in the Organization column.

5.2.2. Creating a team

You can create new teams, assign an organization to the team, and manage the users and administrators associated with each team. Users associated with a team inherit the permissions associated with the team and any organization permissions to which the team has membership.

To add a user or administrator to a team, the user must have already been created.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Click Create team.
  3. Enter a Name and optionally give a Description for the team.

  4. Select an Organization to be associated with this team.

    Note

    Each team can only be assigned to one organization.

  5. Click Create team.

    The Details page opens, where you can review and edit your team information.

5.2.3. Adding users to a team

To add a user to a team, the user must already have been created. For more information, see Creating a user. Adding a user to a team adds them as a member only. Use the Roles tab to assign a role for different resources to the selected team.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team to which you want to add users.
  3. Select the Users tab and click Add users.
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as members of this team.
  5. Click Add users.

5.2.4. Removing users from a team

You can remove a user from a team from the Team list view.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team from which you want to remove users.
  3. Select the Users tab.
  4. Click the Remove user icon next to the user you want to remove as a member of the team.

  5. You can delete multiple users by selecting the checkbox next to each user you want to remove, and selecting Remove selected users from the More actions ⋮ list.

    Note

    If the user is a Team administrator, you can remove their membership to the team from the Administrators tab.

    This launches a confirmation dialog, asking you to confirm the removal.

5.2.5. Adding administrators to a team

You can add administrators to a team which allows them to manage the membership and settings of that team. For example, they can create new users and grant permission to users within the team. To add an administrator to a team, the administrator must already have been created. For more information, see Creating a user.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team to which you want to add an administrator.
  3. Select the Administrators tab and click Add administrator(s).
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as administrators of this team.
  5. Click Add administrators.

5.2.6. Adding roles to a team

You can assign permissions to teams, such as edit and administer resources and other elements. You can set permissions through an inventory, project, job template and other resources, or within the Organizations view.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team Name to which you want to add roles.

  3. Select the Roles tab and click Add roles.

    Note

    If you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.

  4. Select a Resource type and click Next.
  5. Select the resources to receive the new roles and click Next.
  6. Select the roles to apply to the resources and click Next.

  7. Review the settings and click Finish.

    The Add roles dialog displays indicating whether the role assignments were successfully applied, click Close to close the dialog.

5.2.7. Removing roles from a team

You can remove roles from a team by selecting the - icon next to the resource. This launches a confirmation dialog, asking you to confirm the removal.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team Name from which you want to remove roles.

  3. Select the Roles tab.

    Note

    If you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.

  4. Select the checkbox next to each resource you want to remove and click Remove selected roles from the list on the menu bar.
  5. Select the checkbox to confirm removal of the selected roles and click Remove role.

5.2.8. Deleting a team

Before you can delete a team, you must have team permissions. When you delete a team, the inherited permissions members got from that team are revoked.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the check box for the team that you want to remove.

  3. Select the ⋮ icon and select Delete team.

    Note

    You can delete multiple teams by selecting the checkbox next to each team you want to remove, and selecting Delete teams from the More actions ⋮ list.

5.3. Users

Users associated with an organization are shown in the Users tab of the organization.

You can add other users to an organization, including a normal user or system administrator, but first, you must create them.

Note

Ansible Automation Platform automatically creates a default admin user so they can log in and set up Ansible Automation Platform for their organization. This user can not be deleted or modified.

You can sort or search the User list by Username, First name, Last name, or Email. Click the arrows in the header to toggle your sorting preference. You can view User type and Email beside the user name on the Users page.

5.3.1. Users list view

The Users page displays the existing users for your installation. From here, you can search for a specific user, filter the list of users, or change the sort order for the list.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. In the Search bar, enter an appropriate keyword for the user you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of users by using the arrows for Username, Email, First name, Last name or Last login to toggle your sorting preference.
  4. You can view user details by selecting a Username from the Users list view.

5.3.2. Creating a user

There are three types of users in Ansible Automation Platform:

Normal user
Normal users have read and write access limited to the resources (such as inventory, projects, and job templates) for which that user has been granted the appropriate roles and privileges. Normal users are the default type of user when no other User type is specified.
Ansible Automation Platform Administrator
An administrator (also known as a Superuser) has full system administration privileges — with full read and write privileges over the entire installation. An administrator is typically responsible for managing all aspects of and delegating responsibilities for day-to-day work to various users.
Ansible Automation Platform Auditor
Auditors have read-only capability for all objects within the environment.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Click Create user.
  3. Enter the details about your new user in the fields on the Create user page. Fields marked with an asterisk (*) are required.

  4. Normal users are the default when no User type is specified. To define a user as an administrator or auditor, select a User type checkbox.

    Note

    If you are modifying your own password, log out and log back in again for it to take effect.

  5. Select the Organization to be assigned for this user. For information about creating a new organization, refer to Creating an organization.
  6. Click Create user.

When the user is successfully created, the User dialog opens. From here, you can review and modify the user’s Teams, Roles, Tokens and other membership details.

Note

If the user is not newly-created, the details screen displays the last login activity of that user.

If you log in as yourself, and view the details of your user profile, you can manage tokens from your user profile by selecting the Tokens tab For more information, see Adding a token.

5.3.3. Editing a user

You can modify the properties of a user account after it is created.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Select the check box for the user that you want to modify.
  3. Click the Pencil icon and select Edit user.
  4. The Edit user page is displayed where you can modify user details such as, Password, Email, User type, and Organization.
  5. After your changes are complete, click Save user.

5.3.4. Deleting a user

Before you can delete a user, you must have normal user or system administrator permissions. When you delete a user account, the name and email of the user are permanently removed from Ansible Automation Platform.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Select the checkbox for the user that you want to remove.

  3. Click the ⋮ icon next to the user you want removed and select Delete user.

    Note

    You can delete multiple users by selecting the checkbox next to each user you want to remove, and clicking Delete users from the More actions ⋮ list.

5.3.5. Adding roles for a user

You can grant access for users to use, read, or write credentials by assigning roles to them.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. From the Users list view, click on the user to which you want to add roles.
  3. Select the Roles tab to display the set of roles assigned to this user. These provide the ability to read, modify, and administer resources.

  4. To add new roles, click Add roles.

    Note

    If you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.

  5. Select a Resource type and click Next.
  6. Select the resources that will receive new roles and click Next.
  7. Select the roles that will be applied to the resources and click Next.

  8. Review the settings and click Finish.

    The Add roles dialog displays indicating whether the role assignments were successfully applied. Click Close to close the dialog.

5.3.6. Removing roles from a user

You can remove roles from a user by selecting the - icon next to the resource. This launches a confirmation dialog, asking you to confirm the removal.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Select the user Name from which you want to remove roles.

  3. Select the Roles tab.

    Note

    If you have multiple Ansible Automation Platform components installed, you will see selections for the roles associated with each component in the Roles menu bar. For example, Automation Execution for automation controller roles, Automation Decisions for Event-Driven Ansible roles.

  4. Select the checkbox next to each resource you want to remove and click Remove selected roles from the More actions ⋮ list on the menu bar.
  5. Select the checkbox to confirm removal of the selected roles and click Remove role.

5.4. Resources

You can manage user access to Ansible Automation Platform resources and what users can do with those resources. Users are granted access through the roles to which they are assigned or through roles inherited through the role hierarchy, for example, through the roles they inherit through team membership. Ansible Automation Platform resources differ depending on the functionality you are configuring. For example, resources can be job templates and projects for automation execution or decision environments and rulebook activations for automation decisions.

5.4.1. Providing team access to a resource

You can grant users access based on their team membership. When you add a user as a member of a team, they inherit access to the roles and resources defined for that team.

Procedure

  1. From the navigation panel, select a resource to which you want to provide team access. For example, Automation Execution Templates.
  2. Select the Team Access tab.
  3. Click Add roles.
  4. Click the checkbox beside the team to assign that team to your chosen type of resource and click Next.
  5. Select the roles you want applied to the team for the chosen resource and click Next.
  6. Review the settings and click Finish. The Add roles dialog displays indicating whether the role assignments were successfully applied.
  7. You can remove resource access for a team by selecting the Remove role icon next to the team. This launches a confirmation dialog, asking you to confirm the removal.

5.4.2. Providing user access to a resource

You can grant users access to resources through the roles to which they are assigned.

Procedure

  1. From the navigation panel, select a resource to which you want to provide team access. For example, Automation Execution Templates.
  2. Select the User access tab.
  3. Click Add roles.
  4. Click the checkbox beside the user to assign that user to your chosen type of resource and click Next.
  5. Select the roles you want applied to the user for the chosen resource and click Next.
  6. Review the settings and click Finish. The Add roles dialog displays indicating whether the role assignments were successfully applied.
  7. You can remove resource access for a user by selecting the Remove role icon next to the user. This launches a confirmation dialog, asking you to confirm the removal.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.