Chapter 3. User access for RBAC in systems inventory


3.1. User Access for inventory

Red Hat uses role-based access control (RBAC) to manage User Access on the Red Hat Hybrid Cloud Console. You can use User Access to configure access and permissions in systems inventory.

Insights for Red Hat Enterprise Linux provides a set of predefined roles. Depending on the application, the predefined roles for each supported application can have different permissions that are tailored to that application.

3.1.1. How User Access works

The User Access feature is based on managing roles, rather than on individually assigning permissions to specific users. In User Access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.

You create groups that contain roles and, by extension, the permissions assigned to each role. You also assign users to those groups. This means that each user in a group is assigned the permissions of the roles in that group.

By creating different groups and adding or removing roles for that group, you control the permissions allowed for that group. When you add one or more users to a group, those users can perform all actions that are allowed for that group.

Insights for Red Hat Enterprise Linux provides two default access groups for User Access:

  • Default admin access group. The Default admin access group is limited to Organization Administrator users in your organization. You cannot change or modify the roles in the Default admin access group.
  • Default access group. The Default access group contains all authenticated users in your organization. These users automatically inherit a selection of predefined roles.
Note

You can make changes to the Default access group. However, when you do so, the group name automatically changes to Custom default access.

3.1.2. Inventory predefined roles and permissions

Role NameDescriptionPermissions

Inventory administrator

You can perform any available operation against any Inventory resource.

inventory:*:* (* denotes all permissions on all resources)

Workspaces administrator

You can read and edit Workspaces data.

inventory: groups: write and inventory: groups: read

Workspaces viewer

You can read Workspaces data.

inventory: groups: read

Inventory Hosts administrator

You can read and edit Inventory Hosts data.

inventory: hosts: write and inventory: hosts: read

Inventory Hosts viewer

You can read Inventory Hosts data.

inventory: hosts: read

Additional Resources

Role Based Access Control

3.2. User access to Workspaces

Workspaces allow you to group systems in your inventory together into logical units, such as location, department, or purpose. Each system can belong to only one Workspace.

Workspaces also support role-based access control (RBAC). Using RBAC enables you to set custom permissions on Workspaces according to user role.

The Workspace administrator User Access role allows you to create Workspaces. This role is automatically included in the Default Access group and cannot be removed from it. However, users with this role can modify any Workspace. Provide this role only to those users who are entitled to access the entire system inventory.

For a user to be able to use Workspaces and RBAC to restrict access to specific systems, that user must either be a member of the Default Access group, or have both the Workspace administrator and the User Access Administrator roles.

Workspace users have group-level RBAC permissions. Custom permissions include the following:

  • inventory:groups:read

    • View Workspace details page
  • inventory:groups:write

    • Rename the Workspace
    • Add systems to the Workspace
  • Remove systems from the Workspace
Note

A user cannot view the systems inside the Workspace without inventory:hosts:read permissions.

Systems users have system-level RBAC permissions. They can perform the following Workspace operations:

  • inventory:hosts:read

    • View all the systems in the Workspace and their details, or view ungrouped systems
    • View information about the systems for other Insights services
  • inventory:hosts:write

    • Rename the system
    • Delete the system

3.2.1. Managing user access to Workspaces

Note

If you do not have access to Workspaces, navigating to Inventory > Workspaces shows the message Workspace access permissions needed.

Be aware that you can still view the Workspace name assigned to the system for which you have read access, even if you do not have access to the Workspace itself. To view the Workspace that contains the system, you need to have the Workspaces Viewer role, or have Workspace view permissions assigned.

Important

Before making changes in the RBAC configuration, review the list of known limitations in the User Scenarios section.

For more information about managing user access, assigning roles, and adding members to user access groups, see User Access Configuration Guide for Role-based Access Control (RBAC).

3.2.1.1. Creating a custom User Access role

Use the User Access application to configure user access for your Workspace.

To create a custom role:

  1. Click the Settings icon (⚙) in the top right corner, and then select User Access to navigate to the User Access application. The Identity & Access Management main page displays.
  2. In the left navigation menu, click Roles.
  3. Click Create role. The Create Role wizard displays.
  4. Select whether you want to create a new role, or copy an existing role.

    1. To create a new role, select create a role from scratch.
    2. To copy an existing role, select Copy an existing role. A list of roles appears. Select the role you want to copy, and then click Next.
  5. Name the new role. If desired, add a description.
  6. Click Next. The Add permissions page displays.
  7. The Applications filter displays by default. Click the Filter by application drop-down and select inventory to display all the available inventory permissions.

    The four inventory permissions include:

    • inventory:hosts:read - Allows users to view systems (needed to view systems both inside and outside the Workspace).
    • inventory:hosts:write - Allows users to Rename or Delete systems.
    • inventory:groups:read - Allows users to view Workspaces, and general info (not including systems in it).
    • inventory:groups:write - Allows users to edit Workspace membership (add and remove systems from Workspaces).
  8. Select the inventory permissions that you need. Here are some examples:

    1. To give a user full access to the Workspace and all systems in that Workspace, select all four permissions.
    2. To give a user full access to the systems inside a Workspace without granting Workspace editing access, select inventory:hosts:read, inventory:hosts:write, and inventory:groups:read, but do not select inventory:groups:write.
    3. To give a user full access to ungrouped systems, select all four permissions (ungrouped systems are considered a Workspace).
  9. Click Next. The Define Workspace access page displays.
  10. Click the drop-down arrow next to each permission in the list, and then select the Workspaces you want to apply to those permissions. You must select at least one Workspace for each permission.
  11. Click Next. The Review details page displays.
  12. Review the permissions for the custom role and click Submit.

Repeat this process for each Workspace or for each group of users that requires specific Workspace access.

Example scenarios

These examples describe the permissions you assign to users in specific custom roles.

  • To allow users to only see systems in specific Workspaces, but to not see systems that do not belong to any Workspaces, select only those Workspaces.
  • To allow users to see systems in specific Workspaces as well as any systems that do not belong to any Workspaces, select those Workspaces for all permissions and select Ungrouped systems for inventory:hosts permissions.
  • To allow users to see everything in the inventory, you do not need to create a custom role.
  • To give a group of system administrators the same access to Workspaces A, B, and C, create a single custom role and assign permissions to those three Workspaces. However, if you want to give different users access to different Workspaces, create a separate custom role for each Workspace.

3.2.1.2. Assigning custom roles

To assign custom roles to a user or group of users, create a User Access group. The users inside a group receive the roles assigned to that group.

  1. At the top right of the screen, click the Settings icon (the Settings icon (⚙)), and then click User Access.
  2. In the left navigation menu, click User Access > Groups.
  3. Click Create group. The Create group wizard displays the Name and description page.
  4. Add a group name. If desired, add a description for the group.
  5. Click Next. The Add roles page displays.
  6. Select the custom role you created, and then click Next. The Add members page displays.
  7. Select the users to whom you want to assign the custom role.
  8. Click Next. The Add service accounts page appears.
  9. Optional. If you want to assign a service account or accounts to the selected users, select one or more service accounts from the list.
  10. Click Next. Review the details of your selections and click Submit.

Repeat this procedure for each custom role that you want to assign to one or more users.

3.2.1.3. Configuring user access

After you create and assign a custom role, all users in your organization still have full access to inventory because they still have the Inventory Hosts administrator role assigned. This allows any user to view and edit all hosts. The Default Access workspace assigns this role to all users in your organization by default.

To limit organization users' access to only the Workspaces/systems defined in your custom roles, edit the Default Access Workspace to remove the Inventory Hosts administrator role.

  1. At the top right of the screen, click the Settings icon (the Settings icon (⚙)), and then click User Access.
  2. In the left navigation menu, click User Access > Groups. The list of User access groups displays.
  3. Click the Default access group. The list of roles displays.
  4. Select the checkbox for the Inventory Hosts administrator role.
  5. Click the options icon (⋮) at the far right of the row. The Remove role option appears.
  6. Click Remove role. The Remove role dialog box appears.
  7. Click the Remove role button. If you have never edited the Default Access Workspace before, a warning message displays.
  8. Select the I understand, and I want to continue checkbox, and then click Continue.

3.2.1.4. Configuring Inventory Hosts administrator access

After you edit the Default Access Workspace, you might want to create a new User Access group of users who should have Inventory Hosts administrator permissions.

  1. At the top right of the screen, click the Settings icon (the Settings icon (⚙)), and then click User Access.
  2. In the left navigation menu, click User Access > Groups. The list of Workspaces displays.
  3. Click Create group. The Create Group wizard appears.
  4. Add a name for the group. If desired, add a description.
  5. Click Next. The Add roles page displays.
  6. Select the Inventory Hosts administrator role from the list of roles.
  7. Click Next. The Add members page displays.
  8. Select the users to whom you want to assign the role.
  9. Click Next. The Add service accounts page appears.
  10. Optional. If you want to assign a service account or accounts to the selected users, select one or more service accounts from the list.
  11. Click Next. The Review details page displays.
  12. Review the details of your selections, and click Submit.

After you have finished configuring access, specific users within your organization have full inventory access, and others have limited inventory access.

3.3. User scenarios

This section contains two example scenarios that illustrate the features of Workspaces. These scenarios follow a procedure format, so that you can follow the required steps and test them, if desired.

3.3.1. Scenario 1: Two different IT teams must manage their systems with Insights

In this scenario, two different IT teams working for the same company share the same Insights organization within their Red Hat account.

  • Each IT team must have complete control of their systems in the Red Hat Hybrid Cloud Console, but should not be able to see or modify the systems belonging to the other team.
  • All users within the same team have the same level of access on both their Workspaces and their systems. Access levels can be adjusted as needed.
  • Regular users of both IT teams will not be able to see or modify systems that are not part of any Workspaces.
  • Organization administrators, or anyone with Workspace administrator and Inventory Hosts administrator roles, have access to the entire inventory. Any other users without those roles cannot access the entire inventory.

3.3.1.1. Initial phase

By default, organization administrators (who are members of the Default administrator access group) on the Red Hat Hybrid Cloud Console always have read/write access to all Workspaces and read/write access to all systems, regardless of how permissions are defined for the Workspace objects and systems assigned to them.

These users are the only ones who may configure user access for Workspaces. If any regular users need to manage user access, the administrators can grant them Workspace admin and Inventory Hosts admin roles separately.

By default, users who are not Organization administrators are assigned the Inventory Hosts administrator role from the Default access group. The Default access group gives these users inventory:hosts:read and inventory:hosts:write access across the entire inventory. Those permissions grant read and write permissions on all systems and all Workspaces.

Note

For more information about the Default access group, see The Default access group.

3.3.1.2. Restricting access

Prerequisites

  • You are a member of the Default administrator access group.

Step 1: Create the Workspaces

First, create two separate Workspaces. (This example shows two Workspaces, but you may create as many as you need).

  • Workspace 1: IT team A - Systems
  • Workspace 2: IT team B - Systems

Step 2: Add systems to Workspaces

Now that the Workspaces have been created, add systems to them. Click in each Workspace and select Add systems.

At this stage, all the users still have access to all systems, regardless of the Workspaces they are in. This is because they still have the Inventory hosts administrator role, which allows them to see all systems, whether or not they are grouped into Workspaces.

Step 3: Create custom roles

To customize access for different Workspaces, create custom roles for those Workspaces. To create a custom role, navigate to User Access > Roles, and click Create role. A wizard opens. Name your role (For example, IT Team - A Role), and click Next.

Step 3a: Select permissions to add to the custom role

The wizard displays the Add permissions step. This step contains four inventory permissions options. Select them depending on the level of access you want to grant.

For full access to the Workspace and its systems, select:

  • inventory:groups:read
  • inventory:groups:write
  • inventory:hosts:read
  • inventory:hosts:write

After selecting permissions, click Next. You can adjust the permissions as needed.

Step 3b: Assign permissions to selected Workspaces

In this step, choose the Workspace(s) to which you want to grant permission. This example shows how to select the Workspace that corresponds to the current role. For example, create the role IT team A - Role, and specify the Workspace IT team A - Systems for each permission.

Review the details and click Submit.

Repeat the steps in this section to create a second custom role called IT team B - Role and select the IT team B - Systems Workspace.

Note

You can grant access to systems that are not part of any Workspace to one or both IT teams. To add those systems, add the Ungrouped systems that appear in the Group definition of the host permissions to your custom role.

Step 4: Create User Access groups to assign custom roles to users

Now that the custom roles are created, create User Access groups to assign the custom roles to users.

To create a new group, navigate to User Access > Groups and click Create group. Name the group, select the newly created role, and select the users to whom you want to give the role.

For example, two IT groups have the following permissions:

  • IT team A - user group
  • IT team A - role
  • IT team B - user group
  • IT team B - role

Step 5: Remove Inventory Hosts administrator role from the Default Access group

At this stage, despite all the steps taken above, all users still have access to all systems, regardless of the Workspaces they are in. This is because they still have the Inventory Hosts administrator role, which allows them to see all systems, whether or not they are grouped into Workspaces.

To limit access to systems, navigate to User Access > Groups and select the Default Access group. Remove the Inventory Hosts administrator role from this group.

If the users are also members of additional User Access Groups, make sure to review and remove the Inventory Hosts administrator role from those groups as needed.

Once the role has been removed, the User Access controls behave as expected: Users given custom roles to limit their views to certain Workspaces and systems only see those Workspaces and systems.

3.3.1.3. Adjustment considerations

  • If you have more than two IT groups, you can create as many custom roles and user groups as you need.
  • If you are trying to grant the same people the same access to multiple Workspaces, you can select more than one Workspace to grant permissions within the same custom role.
  • You can grant access to systems that are not part of any Workspace. Add the Ungrouped systems in the Group definition of the host permissions to the custom role.
  • Remember that as long the Inventory hosts administrator role is still in the Default Access group, all users who have that role still have access to everything.
  • If you do not select Ungrouped systems in your custom roles, users with those roles will not be able to see any ungrouped systems once you remove the Inventory Hosts administrator permission from the Default access group.

3.3.2. Scenario 2: Access to ungrouped systems

In this example, an admin wants to give a group of users access to ungrouped systems, but not to grouped systems.

Step 1: Create a custom role

  1. Navigate to User Access > Roles and click Create role. The Create Role wizard displays.
  2. Set the role name and description and click Next.
  3. Add the inventory:hosts permissions and click Next.

Configure both of the permissions to apply to the Group definition named Ungrouped systems. Click Next.

Review the details of the role and click Submit.

Step 2: Add the custom role to an RBAC group

  1. Once you create the custom role, navigate to User Access > Groups and click Create Group to create a User Access (RBAC) group.
  2. Name the group, select the new custom role, and select the users to whom you want to assign this role.
Note

These steps only work when the users do not have the Inventory Hosts administrator role assigned from the Default Access group. To check this, navigate to User Access > Groups and click on the Default Access group at the top. If that role is in the group, remove it, because that role gives users access to the whole inventory - including both ungrouped and grouped systems.

After you remove the role, the selected set of users only has access to ungrouped systems in your inventory.

3.3.3. Known limitations

  • Users who are Organization Administrators (members of the Default admin access group) will always have full access to systems and Workspaces.
  • A user without permission on the system will not be able to add it to a Remediation. However, if an existing Remediation with active systems was created in the past, the user will still be able to run it, even if the permissions have been removed on that system for the current user.
Note

Before enabling Workspaces in your organization, review your Notifications configuration to ensure that only appropriate groups of users are configured to receive Email notifications. If you do not review your Notifications configuration, users might receive alerts triggered by systems outside of their Workspace permission scope.

Additional Resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.