Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Managing access with role-based access control

Role-based access control (RBAC) restricts user access based on the user’s role within the organization they are assigned to in Ansible Automation Platform. The roles in RBAC refer to the levels of access that users have to Ansible Automation Platform components and resources.

You can control what users can do with the components of Ansible Automation Platform at a broad or granular level depending on your RBAC policy. You can choose whether the user is a system administrator or normal user and align roles and access permissions with their positions within the organization.

You can define roles with multiple permissions that can then be assigned to resources, teams, and users. The permissions that make up a role govern what the assigned role allows. Permissions are allocated with only the access needed for a user to perform the tasks appropriate for their role.

Important

When managing users, teams, and organizations, use the Unified UI or the platform gateway API to ensure real-time synchronization across all platform components, including Event-Driven Ansible controller. If you use the legacy automation controller API, changes can take up to 15 minutes to propagate to Event-Driven Ansible controller, which can result in authentication errors for new users or teams.

4.1. Organizations
Copy link

As an administrator, you can use organizations to organize groups of resources. Assigning a team or user to the organization gives the team or user access to the resources within the organization. This way, administrators no longer have to grant individual teams and users access to new resources as they become available; teams and users gain access to new resources when they are added to the organization.

After you have created an organization, Ansible Automation Platform displays the organization details. You can then manage resources such as access and execution environments for the organization.

Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and must not delete it.

4.1.1. Organizations list view
Copy link

The Organizations page displays the existing organizations for your installation. From here, you can search for a specific organization, filter the list of organizations, or change the sort order for the list.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. In the Search bar, enter an appropriate keyword for the organization you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of organizations by using the arrows for Name to toggle your sorting preference.
  4. You can also sort the list by selecting Name, Created or Last modified from the Sort list.
  5. You can view organization details by clicking an organization Name on the Organizations page.

4.1.2. Creating an organization
Copy link

Ansible Automation Platform automatically creates a default organization. If you have a self-support level license, you have only the default organization available and cannot delete it.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. Click Create organization.

  3. Enter the Name and give a Description for your organization.

    Note

    If automation controller is enabled on the platform, continue with Step 4. Otherwise, proceed to Step 6.

  4. Select the name of the Execution environment or search for one that members of this organization can use to run automation.
  5. Enter the name of the Instance Groups on which to run this organization.
  6. Optional: Enter the Galaxy credentials or search from a list of existing ones.

  7. Select the Max hosts for this organization. The default is 0. When this value is 0, it signifies no limit. If you try to add a host to an organization that has reached or exceeded its cap on hosts, an error message displays: 

    You have already reached the maximum number of 1 hosts allowed for your organization. Contact your System Administrator for assistance.
  8. Click Next.

  9. If you selected more than 1 instance group, you can manage the order by dragging and dropping the instance group up or down in the list and clicking Confirm.

    Note

    The execution precedence is determined by the order in which the instance groups are listed.

  10. Click Next and verify the organization settings.
  11. Click Finish.

4.1.3. Access to organizations
Copy link

You can manage access to an organization by selecting an organization from the Organizations list view and selecting the associated tabs for providing access to Users, Administrators or Teams.

4.1.3.1. Assigning a user to an organization
Copy link

You can give a user with access to an organization, and therefore the resources within the organization, by assigning them to the organization and managing the organization roles associated with the user.

You can view a list of users associated with an organization, along with the roles each user is directly assigned, in the organization’s Users tab. When you manage a user’s organization roles in the Users tab, you can also see how the user was assigned their roles, whether indirectly, through association with a team, or through direct user assignment by an administrator.

Note

If a user is assigned a "team member" role, this likely indicates that they have an indirectly-assigned role. To see a user’s indirectly-assigned roles, click the pencil icon Edit page to view and manage roles, and then click the link labeled View indirectly-assigned organization roles in the page banner.

To assign a user to an organization, the user must already exist. For more information, see Creating a user. To assign roles to a user, the role must already exist. See Creating a role for more information.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to add a user.
  3. Click the Users tab, then click Assign Users to add users.
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as members.
  5. Click Next.

  6. Select the roles you want the selected user to have. Scroll down for a complete list of roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  7. Click Next to review the roles settings.

  8. Click Finish to apply the roles to the selected users, and to add them as members. The Add roles dialog displays the updated roles assigned for each user.

    Note

    A user with roles associated with an organization loses those roles if they are removed from the organization.

  9. To remove a particular user from the organization, select Remove user from the More Actions list next to the user. This launches a confirmation dialog, asking you to confirm the removal. Note that removing a user from an organization will also remove all organization roles that the user is indirectly assigned from that specific organization.

  10. To manage roles for users in an organization, click the icon next to the user and select Manage roles. You can manage organization roles that are directly assigned to a user by selecting or clearing the checkboxes. Double-check the component column to ensure you are selecting the desired role in the correct component context.

    Tip

    From this screen, you can view, but not manage, indirectly-assigned roles that a user has inherited from a team assignment. To view indirectly-assigned roles, along with the team assignment they originated from, click View indirectly-assigned organization roles link in the banner beneath the page heading. To manage roles indirectly assigned to a user through a team assignment, manage that team’s role assignments or remove the user from that team.

You can add administrators to an organization, which allows them to manage the membership and settings of the organization. For example, they can create new users and teams within the organization, and grant permission to users within the organization. To add an administrator to an organization, the user must already exist.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to add a user, administrator, or team.
  3. Click the Administrators tab.
  4. Click Add administrators.
  5. Select the users from the list by clicking the checkbox next to the name to assign the administrator role to them for this organization.
  6. Click Add administrators.

  7. To remove a particular administrator from the organization, select Remove administrator from the More actions ⋮ list next to the administrator name. This launches a confirmation dialog asking you to confirm the removal.

    Note

    If the user has been added as a member to this organization, they will continue to be a member of this organization. However, if they were added to the organization when the administrator assignment was made, they are removed from the organization.

4.1.3.3. Assigning a team to an organization
Copy link

You can give a team access to an organization, and to the resources within that organization, by assigning roles to the team in the organization’s Teams tab. All users who are part of a team assigned to the organization will inherit the team’s organization role assignments.

To assign roles to a team, the team must already exist in the organization. For more information, see Creating a team. To assign roles for a team, the role must already exist. See Creating a role for more information.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization to which you want to assign team access.
  3. Click the Teams tab. If no teams exist, click Create team to create a team and assign it to this organization.
  4. Click Assign roles.

  5. Select the roles you want the selected team to have. Scroll down for a complete list of roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  6. Click Next to review the roles settings.
  7. Click Finish to apply the roles to the selected teams. The Assign roles dialog displays the updated roles assigned for each team.

  8. Click Close.

    Note

    A team with associated roles retains them if they are reassigned to another organization.

  9. To manage roles for teams in an organization, click the icon next to the user and select Manage roles.

4.1.3.4. Deleting an organization
Copy link

Before you can delete an organization, you must be an Organization administrator or System administrator. When you delete an organization, the organization, team, users and resources are permanently removed from Ansible Automation Platform.

Note

When you try to delete items that are used by other resources, a message is displayed warning you that the deletion might impact other resources and prompts you to confirm the deletion. Some screens contain items that are invalid or have been deleted previously, and will fail to run.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. Click the icon next to the organization you want removed and select Delete organization.

  3. Select the confirmation checkbox and click Delete organizations to proceed with the deletion. Otherwise, click Cancel.

    Note

    You can delete multiple organizations by selecting the checkbox next to each organization you want to remove, and selecting Delete selected organizations from the More actions ⋮ list on the menu bar.

4.1.4. Working with notifiers
Copy link

When automation controller is enabled on the platform, you can review any notifier integrations you have set up and manage their settings within the organization resource.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization whose notifications you want to manage.
  3. Select the Notification tab.
  4. Use the toggles to enable or disable the notifications to use with your particular organization. For more information, see Enable and disable notifications.
  5. If no notifiers have been set up, select Automation Execution Administration Notifiers from the navigation panel.

Additional resources

4.1.5. Working with execution environments
Copy link

When automation controller is enabled on the platform, you can review any execution environments you have set up and manage their settings within the organization resource.

For more information about execution environments, see Execution environments in the Using automation execution guide.

Procedure

  1. From the navigation panel, select Access Management Organizations.
  2. From the Organizations list view, select the organization whose execution environments you want to manage.
  3. Select the Execution Environments tab.
  4. If no execution environments are available, click Create execution environment to create one. Alternatively, you can create an execution environment from the navigation panel by selecting Automation Execution Infrastructure Execution Environments.

  5. Click Create execution environment.

    Note

    After creating a new execution environments, return to Access Management Organizations and select the organization in which you created the execution environment to update the list on that tab.

  6. Select the execution environments to use with your particular organization.

4.2. Teams
Copy link

As an administrator, you can use teams to bulk-assign roles to users that need to share the same access.

A team is a subdivision of an organization that groups users and roles together for specific resources. Teams offer a means to implement role-based access control schemes and delegate responsibilities across organizations by allowing you to grant access to users in bulk. For example, you can grant resource access to a team, and therefore to all the users in the team, rather than granting access to each individual user on the team.

You can create as many teams as needed for your organization. Teams can only be assigned to one organization while an organization can be made up of multiple teams. Each team can be assigned roles, the same way roles are assigned for users. Teams can also scalably assign ownership for credentials, preventing multiple interface click-throughs to assign the same credentials to the same user.

4.2.1. Teams list view
Copy link

The Teams page displays the existing teams for your installation. From here, you can search for a specific team, filter the list of teams by team name or organization, or change the sort order for the list.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. In the Search bar, enter an appropriate keyword for the team you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of teams by using the arrows for Name and Organization to toggle your sorting preference.
  4. You can view team details by clicking a team Name on the Teams page.
  5. You can view organization details by clicking the link in the Organization column.

4.2.2. Creating a team
Copy link

You can create new teams, assign an organization to the team, and manage the users and administrators assigned to each team. Users on a team inherit the permissions and roles assigned to the team. To assign a user or administrator to a team, the user must have already been created. See Assigning users to a team or Assigning administrators to a team for more information.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Click Create team.
  3. Enter a Name and optionally give a Description for the team.

  4. Select an Organization to be associated with this team.

    Note

    Each team can only be assigned to one organization.

  5. Click Create team. The Details page opens, where you can review and edit your team information and access.

4.2.3. Assigning users to a team
Copy link

To assign a user to a team, the user must already have been created. For more information, see Creating a user. Assigning a user to a team adds them as a member only. Use the Roles tab to assign a role that gives users on the team resource access.

New user memberships to a team must be added at the platform level.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team to which you want to add users.
  3. Select the Users tab.
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as members of this team.
  5. Click Add users.

4.2.4. Removing users from a team
Copy link

You can remove a user from a team from the Team list view.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team from which you want to remove users.
  3. Select the Users tab.
  4. Click the Remove user icon next to the user you want to remove as a member of the team.

  5. You can delete multiple users by selecting the checkbox next to each user you want to remove, and selecting Remove selected users from the More actions ⋮ list.

    Note

    If the user is a Team administrator, you can remove their membership to the team from the Administrators tab.

  6. A confirmation dialog asking you to confirm the removal will appear. Confirm the removal. Note that removing a user from a team removes all of that team’s role assignments from the user.

4.2.5. Assigning administrators to a team
Copy link

You can assign administrators to a team, which allows them to manage the membership and settings of that team. For example, they can create new users and grant permission to users within the team. To assign an administrator to a team, the administrator must already have been created. For more information, see Creating a user.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team to which you want to add an administrator.
  3. Select the Administrators tab and click Add administrator(s).
  4. Select one or more users from the list by clicking the checkbox next to the name to add them as administrators of this team.
  5. Click Add administrators.

4.2.6. Assigning roles to a team
Copy link

You can grant a team granular access to specific resources such as inventories, projects, and job templates by assigning the team roles associated with those particular resources. You can also set permissions at the level of the organization from the Organizations view.

Note

Teams cannot be assigned to an organization through role assignment, nor can teams be assigned organization roles from the Teams view. Refer to the steps provided in Adding a team to an organization for detailed instructions on assigning a team to an organization.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team Name to which you want to add roles.

  3. Select the Roles tab and click Add roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  4. Select a Resource type and click Next.
  5. Select the resources that you want to give the team role-based access to and click Next.

  6. Select the roles to apply to the resources and click Next.

    Tip

    If you are selecting more than one role in this step, consider creating a custom role that includes all the permissions for this resource type to give the team the correct access.

  7. Review the settings and click Finish.
  8. The Add roles dialog displays indicating whether the role assignments were successfully applied. Click Close to close the dialog.

4.2.7. Removing roles from a team
Copy link

You can remove roles individually or in bulk.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. Select the team Name from which you want to remove roles.
  3. Select the Roles tab.

  4. To remove a single role, click the minus icon next to the resource and confirm removal on the dialog that is displayed.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  5. To remove roles in bulk, select the checkbox next to each resource you want to remove and click Delete selected roles from the More Actions list on the menu bar, then confirm removal and click Delete role.

4.2.8. Deleting a team
Copy link

Before you can delete a team, you must have team permissions. When you delete a team, the roles that users inherited from that team are revoked.

Procedure

  1. From the navigation panel, select Access Management Teams.
  2. To remove a single team, click the minus icon - next to the team and confirm removal on the dialog that is displayed.
  3. To remove teams in bulk, select the checkbox next to each team that you want to remove, then click the More Actions icon and select Delete team.

4.3. Users
Copy link

A user is an individual or entity that can log in to the platform and perform tasks. Users are fundamental units to which roles can be assigned, either directly by an administrator or indirectly through a team.

Note

Ansible Automation Platform automatically creates a default system admin user so they can log in and set up Ansible Automation Platform for their organization. This user cannot be deleted or modified.

You can sort or search the User list by Username, First name, Last name, or Email. Click the arrows in the header to toggle your sorting preference. You can view User type and Email beside the user name on the Users page.

4.3.1. Users list view
Copy link

The Users page displays the existing users for your installation. From here, you can search for a specific user, filter the list of users, or change the sort order for the list.

When user accounts have been migrated to Ansible Automation Platform 2.6 during the upgrade process, these accounts are also displayed in the Users list view. You can see whether these users have administrator privileges by editing the account. See Editing a user for instructions.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. In the Search bar, enter an appropriate keyword for the user you want to search for and click the arrow icon.
  3. From the menu bar, you can sort the list of users by using the arrows for Username, Email, First name, Last name or Last login to toggle your sorting preference.
  4. You can view user details by selecting a Username from the Users list view.

4.3.2. Creating a user
Copy link

You can create three types of users in Ansible Automation Platform:

Normal user
Normal users have read and write access limited to the resources (such as inventory, projects, and job templates) for which that user has been granted the appropriate roles and privileges. Normal users are the default type of user when no other User type is specified.
Ansible Automation Platform Administrator
An administrator (also known as a Superuser) has full system administration privileges, with full read and write privileges over the entire installation. An administrator is typically responsible for managing all aspects of and delegating responsibilities for day-to-day work to various users.
Ansible Automation Platform Auditor
Auditors have read-only capability for all objects within the environment.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Click Create user.
  3. Enter the details about your new user in the fields on the Create user page. Fields marked with an asterisk (*) are required.

  4. Normal users are the default when no User type is specified. To define a user as an administrator or auditor, select a User type from the drop-down menu.

    Note

    If you are modifying your own password, log out and log back in for the change to take effect.

  5. Select the Organization to be assigned for this user. For information about creating a new organization, see Creating an organization.

  6. Click Create user.

    When the user is successfully created, the User details screen opens. From here, you can review and change the user’s teams, roles, tokens and other membership details.

    Note

    If the user is not newly-created, the details screen displays the user’s last login activity.

Next steps

If you log in as yourself, and view the details of your user profile, you can manage tokens from your user profile by selecting the Tokens tab. For more information, see Adding a token.

4.3.3. Editing a user
Copy link

You can change the properties of a user account after it is created.

To see whether a user had service level auditor privileges, you must refer to the API.

Note

After upgrading to 2.6, users previously designated as automation controller administrators are labeled as platform administrators in the User type column in the Users list view. Automation hub administrators are labeled as Normal in the User Type column.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Click the Pencil Edit page icon next to the user you want to edit and select Edit user.
  3. The Edit user page is displayed where you can change user details such as Password, Email, User type, and Organization.
  4. After your changes are complete, click Save user.

4.3.4. Deleting a user
Copy link

Before you can delete a user, you must have normal user or system administrator permissions. When you delete a user account, the name and email of the user are permanently removed from Ansible Automation Platform.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. To delete a single user, select the More Actions icon next to the user you want to remove and select Delete user.
  3. To bulk delete users, select the checkbox next to each user you want to remove, and then from the More Actions list, click Delete users.

4.3.5. Assigning roles to a user
Copy link

You can grant users granular access to specific resources such as inventories, projects, or job templates by assigning users roles.

You can view and manage roles that were assigned directly to a user by an administrator in the user’s Roles tab.

You can view roles that a user inherited from a team assignment in the View indirectly assigned roles link in the page banner. You cannot directly manage an indirectly-assigned role. You can only manage indirectly-assigned roles by editing the team’s role assignments, or by removing the user from the team.

Note

Users cannot be assigned to an organization through role assignment, nor can you assign users organization roles from this screen. Refer to the steps provided in Adding a user to an organization for detailed instructions on assigning a user to an organization.

Roles are labeled with their associated Ansible Automation Platform component and function. These components align with Ansible Automation Platform services and the side navigation structure in the user interface. Component labels can be understood as follows:

  • Automation Execution refers to automation controller
  • Automation Decisions refers to Event-Driven Ansible
  • Automation Content refers to automation hub

When assigning roles, ensure that you are selecting the required resource in the correct component context, because resources such as projects and credentials can be associated with both Automation Execution and Automation Decisions.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. From the Users list view, click the user to which you want to add roles.
  3. Select the Roles tab to display the set of roles assigned to this user. These provide the ability to read, change, and administer resources.

  4. To add new roles, click Add roles.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  5. Select a Resource type and click Next.
  6. Select the resources that you want to give role-based access to and click Next.

  7. Select the roles that will be applied to the resources and click Next.

    Tip

    If you are selecting more than one role, consider creating a custom role that includes all the permissions for this resource type so you can give your users the appropriate level of access.

  8. Review the settings and click Finish. The Add roles dialog displays indicating whether the role assignments were successfully applied. Click Close to close the dialog.

4.3.6. Removing roles from a user
Copy link

You can remove a user’s roles by editing the user information in the Roles tab.

Procedure

  1. From the navigation panel, select Access Management Users.
  2. Select the user name whose role access you want to remove.

  3. Select the Roles tab.

    Note

    Ensure that you are selecting the desired role within the correct component context, because resources like projects and credentials can be associated with both Automation Execution (automation controller) and Automation Decisions (Event-Driven Ansible).

  4. To remove a single role, click the - icon next to the role and confirm removal on the dialog that is displayed.
  5. To remove multiple roles, select the checkbox next to each role you want to remove and click Remove selected roles from the More actions ⋮ list on the menu bar. On the dialog that is displayed, confirm removal of the selected roles and click Remove role.

4.4. Resources
Copy link

You can manage user access to Ansible Automation Platform resources and what users can do with those resources. Users are granted access through the roles they are directly assigned by an administrator, or through roles inherited from a team assignment. Ansible Automation Platform resources differ depending on the functionality you are configuring. For example, resources can be job templates and projects for automation execution or decision environments and rulebook activations for automation decisions.

4.4.1. Providing team access to a resource
Copy link

You can grant users access based on their team membership. When you add a user as a member of a team, they inherit access to the roles and resources defined for that team.

Note

Direct team access cannot be granted to Automation Content Remote Registries resources.

Procedure

  1. From the navigation panel, click the name of the resource that you want to give a team access to. For example, Automation Execution Templates.
  2. On the details page, select the Team Access tab.
  3. Click Assign Teams.
  4. Click the checkbox beside the team to assign that team access to your chosen resource and click Next.
  5. Select the roles you want applied to the team for the chosen resource and click Next.
  6. Review the settings and click Finish. The Assign Teams dialog displays indicating whether the role assignments were successfully applied.
  7. You can remove resource access for a team by selecting the Remove team icon next to the team. This launches a confirmation dialog, asking you to confirm the removal.

4.4.2. Providing direct user access to a resource
Copy link

You can directly grant users access to resources, and edit their access after it has been granted.

Note

Direct user access cannot be granted to Automation Content Remote Registries resources.

Procedure

  1. From the navigation panel, select a resource that you want to give a team access to. For example, Automation Execution Templates.
  2. Select the User access tab.
  3. Click Assign users.
  4. Click the checkbox beside the user to assign that user to your chosen resource and click Next.
  5. Select the roles you want applied to the user for the chosen resource and click Next.
  6. Review the settings and click Finish. The Assign Roles dialog displays indicating whether the role assignments were successfully applied.
  7. You can edit a user’s access to a resource from the User Access tab by clicking the pencil icon Edit page next to the user’s name and adding or removing directly-assigned roles.
  8. You can remove resource access for a user by selecting the Remove role icon next to the user. This launches a confirmation dialog asking you to confirm the removal.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top