Red Hat SummitChapter 2. Getting started as a platform administrator
As a platform administrator, Ansible Automation Platform can help you enable your users and teams to develop and run automation.
This guide walks you through the basic steps to get set up as an administrator for Ansible Automation Platform, including configuring and maintaining the platform for users.
To get started as an administrator, see the following:
2.1. Logging in for the first time
Log in to the Ansible Automation Platform as an administrator and enter your subscription information. You can then create user profiles and assign roles.
Procedure
- With the login information provided after your installation completed, open a web browser and log in to Red Hat Ansible Automation Platform by navigating to its server URL at: https://<AAP_SERVER_NAME>/
Use the credentials specified during the installation process to login:
- The default username is admin.
- The password for admin is the value specified during installation.
After your first login, you are prompted to add your subscription information.
2.2. Adding your subscription
To add your subscription information, you can either upload your subscription manifest, or use your service account credentials to find the subscription associated with your account.
Prerequisites
To add your subscription by uploading a subscription manifest, you must first:
- Obtain your manifest file. See Obtaining a manifest file in the Access management and authentication guide for steps on how to do this.
To add your subscription using your service account credentials, you must first:
- Have created a service account and saved the client ID and client secret.
- Add your service account to the Subscription viewer user group to give it the ability to see your subscriptions. See the "Updates to subscription management" section in the Knowledgebase article Configure Ansible Automation Platform to authenticate through service account credentials for instructions on how to do so.
Procedure
To add your subscription by uploading a subscription manifest:
- Drag the file to the field beneath Red Hat subscription manifest or browse for the file on your local machine.
To add your subscription with your service account credentials:
- Click the Service Account / Red Hat Satellite tab.
- Enter the client ID you received when you created your service account in the field labeled Client ID / Satellite username.
- Enter the client secret you received when you created your service account in the field labeled Client secret / Satellite password. Your subscription appears in the Subscription list. Select your subscription.
- After you have added your subscription, click .
- Check the box indicating that you agree to the End User License Agreement.
- Review your information and click .
If you enter your client ID and client secret but cannot locate your subscription, you might not have the correct permissions set on your service account. For more information and troubleshooting guidance for service accounts, see Configure Ansible Automation Platform to authenticate through service account credentials.
After logging in, review the quick starts section in the navigation panel for useful guidance.
2.3. Configure authentication
After your first login as an administrator you must configure authentication for your users. Depending on your organization’s needs and resources, you can either:
- Set up authentication by creating users, teams, and organizations manually.
- Use an external source such as GitHub to configure authentication for your system.
2.4. Managing user access with role-based access control
Role-based access control (RBAC) restricts user access based on their role within an organization. The roles in RBAC refer to the levels of access that users have to the network.
You can control what users can do with the components of Ansible Automation Platform at a broad or granular level depending on your RBAC policy. You can select whether the user is a system administrator or normal user and align roles and access permissions with their positions within the organization.
You can define roles with many permissions that can then be assigned to resources, teams, and users. The permissions that make up a role dictate what the assigned role allows. Permissions are allocated with only the access needed for a user to perform the tasks appropriate for their role.
2.5. Creating an organization
Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and cannot delete it.
Procedure
-
From the navigation panel, select
. - Click .
Enter the Name and optionally provide a Description for your organization.
NoteIf automation controller is enabled on the platform, continue with Step 4. Otherwise, proceed to Step 6.
- Select the name of the Execution environment or search for one that exists that members of this team can run automation.
- Enter the name of the Instance Groups on which to run this organization.
- Optional: Enter the Galaxy credentials or search from a list of existing ones.
Select the Max hosts for this organization. The default is 0. When this value is 0, it signifies no limit. If you try to add a host to an organization that has reached or exceeded its cap on hosts, an error message displays:
You have already reached the maximum number of 1 hosts allowed for your organization. Contact your System Administrator for assistance.
You have already reached the maximum number of 1 hosts allowed for your organization. Contact your System Administrator for assistance.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Click .
If you selected more than 1 instance group, you can manage the order by dragging and dropping the instance group up or down in the list and clicking .
NoteThe execution precedence is determined by the order in which the instance groups are listed.
- Click and verify the organization settings.
- Click .
2.6. Creating a team
You can create new teams, assign an organization to the team, and manage the users and administrators associated with each team. Users associated with a team inherit the permissions associated with the team and any organization permissions to which the team has membership.
To add a user or administrator to a team, the user must have already been created.
Procedure
-
From the navigation panel, select
. - Click .
- Enter a Name and optionally give a Description for the team.
Select an Organization to be associated with this team.
NoteEach team can only be assigned to one organization.
Click .
The Details page opens, where you can review and edit your team information.
2.7. Creating a user
There are three types of users in Ansible Automation Platform:
- Normal user
- Normal users have read and write access limited to the resources (such as inventory, projects, and job templates) for which that user has been granted the appropriate roles and privileges. Normal users are the default type of user.
- Ansible Automation Platform Administrator
- An administrator (also known as a Superuser) has full system administration privileges — with full read and write privileges over the entire installation. An administrator is typically responsible for managing all aspects of and delegating responsibilities for day-to-day work to various users.
- Ansible Automation Platform Auditor
- Auditors have read-only capability for all objects within the environment.
Procedure
-
From the navigation panel, select
. - Click .
- Enter the details about your new user in the fields on the Create user page. Fields marked with an asterisk (*) are required.
Normal users are the default when no User type is specified. To define a user as an administrator or auditor, select a User type checkbox.
NoteIf you are modifying your own password, log out and log back in again for it to take effect.
- Select the Organization to be assigned for this user. For information about creating a new organization, refer to Creating an organization.
- Click .
When the user is successfully created, the User dialog opens. From here, you can review and modify the user’s Teams, Roles, Tokens and other membership details.
If the user is not newly-created, the details screen displays the last login activity of that user.
If you log in as yourself, and view the details of your user profile, you can manage tokens from your user profile by selecting the Tokens tab.
2.8. Configuring GitHub authentication
You can connect GitHub identities to Ansible Automation Platform using OAuth. To set up GitHub authentication, you need to obtain an OAuth2 key and secret by registering your organization-owned application from GitHub using the registering the new application with GitHub.
The OAuth2 key (Client ID) and secret (Client Secret) are used to supply the required fields in the UI. To register the application, you must supply it with your webpage URL, which is the Callback URL shown in the Authenticator details for your authenticator configuration.
Procedure
-
From the navigation panel, select
. - Click .
- Select GitHub from the Authentication type list and click .
- Enter a Name for this authentication configuration.
When the application is registered, GitHub displays the Client ID and Client Secret:
- Copy and paste the GitHub Client ID into the GitHub OAuth2 Key field.
- Copy and paste the GitHub Client Secret into the GitHub OAuth2 Secret field.
Optional: Enter any Additional Authenticator Fields that this authenticator can take. These fields are not validated and are passed directly back to the authenticator.
NoteValues defined in this field override the dedicated fields provided in the UI. Any values not defined here are not provided to the authenticator.
- To automatically create organizations, users, and teams upon successful login, select Create objects.
- To enable this authentication method upon creation, select Enabled.
- To remove a user for any groups they were previously added to when they authenticate from this source, select Remove users.
- Click .
Verification
To verify that the authentication is configured correctly, log out of Ansible Automation Platform and check that the login screen displays the logo of your authentication chosen method to enable logging in with those credentials.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}