Chapter 3. User access for RBAC in systems inventory
3.1. User Access for inventory
Red Hat uses role-based access control (RBAC) to manage User Access on the Red Hat Hybrid Cloud Console. You can use User Access to configure access and permissions in systems inventory.
Insights for Red Hat Enterprise Linux provides a set of predefined roles. Depending on the application, the predefined roles for each supported application can have different permissions that are tailored to that application.
3.1.1. How User Access works
The User Access feature is based on managing roles, rather than on individually assigning permissions to specific users. In User Access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.
You create groups that contain roles and, by extension, the permissions assigned to each role. You also assign users to those groups. This means that each user in a group is assigned the permissions of the roles in that group.
By creating different groups and adding or removing roles for that group, you control the permissions allowed for that group. When you add one or more users to a group, those users can perform all actions that are allowed for that group.
Insights for Red Hat Enterprise Linux provides two default access groups for User Access:
- Default admin access group. The Default admin access group is limited to Organization Administrator users in your organization. You cannot change or modify the roles in the Default admin access group.
- Default access group. The Default access group contains all authenticated users in your organization. These users automatically inherit a selection of predefined roles.
You can make changes to the Default access group. However, when you do so, the group name automatically changes to Custom default access.
3.1.2. Inventory predefined roles and permissions
| Role Name | Description | Permissions |
|---|---|---|
| Inventory Administrator | You can perform any available operation against any Inventory resource. | inventory:*:* (* denotes all permissions on all resources) |
| Inventory Groups Administrator | You can read and edit Inventory Groups data. | inventory: groups: write and inventory: groups: read |
| Inventory Groups Viewer | You can read Inventory Groups data. | inventory: groups: read |
| Inventory Hosts Administrator | You can read and edit Inventory Hosts data. | inventory: hosts: write and inventory: hosts: read |
| Inventory Hosts Viewer | You can read Inventory Hosts data. | inventory: hosts: read |
Additional Resources
3.2. User access to Inventory groups
Inventory groups allow you to group systems in your inventory together into logical units, such as location, department, or purpose. Each system can belong to only one Inventory group.
Inventory groups also support role-based access control (RBAC). Using RBAC enables you to set custom permissions on Inventory groups according to user role.
The Inventory group administrator User Access role allows you to create Inventory groups. This role is automatically included in the Default Access group and cannot be removed from it. However, users with this role can modify any Inventory group. Provide this role only to those users who are entitled to access the entire system inventory.
For a user to be able to use Inventory groups and RBAC to restrict access to specific systems, that user must either be a member of the Default Access group, or have both the Inventory group Administrator and the User Access Administrator roles.
Inventory group users have group-level RBAC permissions. Custom permissions include the following:
inventory:groups:read
- View Inventory group details page
inventory:groups:write
- Rename the Inventory group
- Add systems to the Inventory group
- Remove systems from the Inventory group
A user cannot view the systems inside the Inventory group without inventory:hosts:read permissions.
Systems users have system-level RBAC permissions. They can perform the following Inventory group operations:
inventory:hosts:read
- View all the systems in the Inventory group and their details, or view ungrouped systems
- View information about the systems for other Insights services
inventory:hosts:write
- Rename the system
- Delete the system
3.2.1. Managing user access to Inventory groups
If you do not have access to Inventory groups, navigating to Inventory > Inventory groups shows the message Inventory group access permissions needed.
Be aware that you can still view the Inventory group name assigned to the system for which you have read access, even if you do not have access to the Inventory group itself. To view the Inventory group that contains the system, you need to have the Inventory groups Viewer role, or have Inventory group view permissions assigned.
Before making changes in the RBAC configuration, review the list of known limitations in the User Scenarios section.
For more information about managing user access, assigning roles, and adding members to user access groups, see User Access Configuration Guide for Role-based Access Control (RBAC).
3.2.1.1. Creating a custom User Access role
Use the User Access application to configure user access for your Inventory group.
To create a custom role:
- Click the Settings icon (⚙) in the top right corner, and then select User Access to navigate to the User Access application. The Identity & Access Management main page displays.
- In the left navigation menu, click Roles.
- Click Create role. The Create Role wizard displays.
Select whether you want to create a new role, or copy an existing role.
- To create a new role, select create a role from scratch.
- To copy an existing role, select Copy an existing role. A list of roles appears. Select the role you want to copy, and then click Next.
- Name the new role. If desired, add a description.
- Click Next. The Add permissions page displays.
The Applications filter displays by default. Click the Filter by application drop-down and select inventory to display all the available inventory permissions.
The four inventory permissions include:
- inventory:hosts:read - Allows users to view systems (needed to view systems both inside and outside the Inventory group).
- inventory:hosts:write - Allows users to Rename or Delete systems.
- inventory:groups:read - Allows users to view Inventory groups, and general info (not including systems in it).
- inventory:groups:write - Allows users to edit Inventory group membership (add and remove systems from Inventory groups).
Select the inventory permissions that you need. Here are some examples:
- To give a user full access to the Inventory group and all systems in that Inventory group, select all four permissions.
- To give a user full access to the systems inside a Inventory group without granting Inventory group editing access, select inventory:hosts:read, inventory:hosts:write, and inventory:groups:read, but do not select inventory:groups:write.
- To give a user full access to ungrouped systems, select all four permissions (ungrouped systems are considered a Inventory group).
- Click Next. The Define Inventory group access page displays.
- Click the drop-down arrow next to each permission in the list, and then select the Inventory groups you want to apply to those permissions. You must select at least one Inventory group for each permission.
- Click Next. The Review details page displays.
- Review the permissions for the custom role and click Submit.
Repeat this process for each Inventory group or for each group of users that requires specific Inventory group access.
Example scenarios
These examples describe the permissions you assign to users in specific custom roles.
- To allow users to only see systems in specific Inventory groups, but to not see systems that do not belong to any Inventory groups, select only those Inventory groups.
- To allow users to see systems in specific Inventory groups as well as any systems that do not belong to any Inventory groups, select those Inventory groups for all permissions and select Ungrouped systems for inventory:hosts permissions.
- To allow users to see everything in the inventory, you do not need to create a custom role.
- To give a group of system administrators the same access to Inventory groups A, B, and C, create a single custom role and assign permissions to those three Inventory groups. However, if you want to give different users access to different Inventory groups, create a separate custom role for each Inventory group.
3.2.1.2. Assigning custom roles
To assign custom roles to a user or group of users, create a User Access group. The users inside a group receive the roles assigned to that group.
- At the top right of the screen, click the Settings icon (the Settings icon (⚙)), and then click User Access.
- In the left navigation menu, click User Access > Groups.
- Click Create group. The Create group wizard displays the Name and description page.
- Add a group name. If desired, add a description for the group.
- Click Next. The Add roles page displays.
- Select the custom role you created, and then click Next. The Add members page displays.
- Select the users to whom you want to assign the custom role.
- Click Next. The Add service accounts page appears.
- Optional. If you want to assign a service account or accounts to the selected users, select one or more service accounts from the list.
- Click Next. Review the details of your selections and click Submit.
Repeat this procedure for each custom role that you want to assign to one or more users.
3.2.1.3. Configuring user access
After you create and assign a custom role, all users in your organization still have full access to inventory because they still have the Inventory Hosts Administrator role assigned. This allows any user to view and edit all hosts. The Default Access workspace assigns this role to all users in your organization by default.
To limit organization users' access to only the Inventory groups/systems defined in your custom roles, edit the Default Access Inventory group to remove the Inventory Hosts Administrator role.
- At the top right of the screen, click the Settings icon (the Settings icon (⚙)), and then click User Access.
- In the left navigation menu, click User Access > Groups. The list of User access groups displays.
- Click the Default access group. The list of roles displays.
- Select the checkbox for the Inventory Hosts Administrator role.
- Click the options icon (⋮) at the far right of the row. The Remove role option appears.
- Click Remove role. The Remove role dialog box appears.
- Click the Remove role button. If you have never edited the Default Access Inventory group before, a warning message displays.
- Select the I understand, and I want to continue checkbox, and then click Continue.
3.2.1.4. Configuring Inventory Hosts Administrator access
After you edit the Default Access Inventory group, you might want to create a new User Access group of users who should have Inventory Hosts Administrator permissions.
- At the top right of the screen, click the Settings icon (the Settings icon (⚙)), and then click User Access.
- In the left navigation menu, click User Access > Groups. The list of Inventory groups displays.
- Click Create group. The Create Group wizard appears.
- Add a name for the group. If desired, add a description.
- Click Next. The Add roles page displays.
- Select the Inventory Hosts Administrator role from the list of roles.
- Click Next. The Add members page displays.
- Select the users to whom you want to assign the role.
- Click Next. The Add service accounts page appears.
- Optional. If you want to assign a service account or accounts to the selected users, select one or more service accounts from the list.
- Click Next. The Review details page displays.
- Review the details of your selections, and click Submit.
After you have finished configuring access, specific users within your organization have full inventory access, and others have limited inventory access.
3.3. User scenarios
This section contains two example scenarios that illustrate the features of Inventory groups. These scenarios follow a procedure format, so that you can follow the required steps and test them, if desired.
3.3.1. Scenario 1: Two different IT teams must manage their systems with Insights
In this scenario, two different IT teams working for the same company share the same Insights organization within their Red Hat account.
- Each IT team must have complete control of their systems in the Red Hat Hybrid Cloud Console, but should not be able to see or modify the systems belonging to the other team.
- All users within the same team have the same level of access on both their Inventory groups and their systems. Access levels can be adjusted as needed.
- Regular users of both IT teams will not be able to see or modify systems that are not part of any Inventory groups.
- Organization administrators, or anyone with Inventory group administrator and Inventory Hosts administrator roles, have access to the entire inventory. Any other users without those roles cannot access the entire inventory.
3.3.1.1. Initial phase
By default, organization administrators (who are members of the Default administrator access group) on the Red Hat Hybrid Cloud Console always have read/write access to all Inventory groups and read/write access to all systems, regardless of how permissions are defined for the Inventory group objects and systems assigned to them.
These users are the only ones who may configure user access for Inventory groups. If any regular users need to manage user access, the administrators can grant them Inventory group admin and Inventory Hosts admin roles separately.
By default, users who are not Organization administrators are assigned the Inventory Hosts Administrator role from the Default access group. The Default access group gives these users inventory:hosts:read and inventory:hosts:write access across the entire inventory. Those permissions grant read and write permissions on all systems and all Inventory groups.
For more information about the Default access group, see The Default access group.
3.3.1.2. Restricting access
Prerequisites
- You are a member of the Default administrator access group.
Step 1: Create the Inventory groups
First, create two separate Inventory groups. (This example shows two Inventory groups, but you may create as many as you need).
- Inventory group 1: IT team A - Systems
- Inventory group 2: IT team B - Systems
Step 2: Add systems to Inventory groups
Now that the Inventory groups have been created, add systems to them. Click in each Inventory group and select Add systems.
At this stage, all the users still have access to all systems, regardless of the Inventory groups they are in. This is because they still have the Inventory hosts administrator role, which allows them to see all systems, whether or not they are grouped into Inventory groups.
Step 3: Create custom roles
To customize access for different Inventory groups, create custom roles for those Inventory groups. To create a custom role, navigate to User Access > Roles, and click Create role. A wizard opens. Name your role (For example, IT Team - A Role), and click Next.
Step 3a: Select permissions to add to the custom role
The wizard displays the Add permissions step. This step contains four inventory permissions options. Select them depending on the level of access you want to grant.
For full access to the Inventory group and its systems, select:
- inventory:groups:read
- inventory:groups:write
- inventory:hosts:read
- inventory:hosts:write
After selecting permissions, click Next. You can adjust the permissions as needed.
Step 3b: Assign permissions to selected Inventory groups
In this step, choose the Inventory group(s) to which you want to grant permission. This example shows how to select the Inventory group that corresponds to the current role. For example, create the role IT team A - Role, and specify the Inventory group IT team A - Systems for each permission.
Review the details and click Submit.
Repeat the steps in this section to create a second custom role called IT team B - Role and select the IT team B - Systems Inventory group.
You can grant access to systems that are not part of any Inventory group to one or both IT teams. To add those systems, add the Ungrouped systems that appear in the Group definition of the host permissions to your custom role.
Step 4: Create User Access groups to assign custom roles to users
Now that the custom roles are created, create User Access groups to assign the custom roles to users.
To create a new group, navigate to User Access > Groups and click Create group. Name the group, select the newly created role, and select the users to whom you want to give the role.
For example, two IT groups have the following permissions:
- IT team A - user group
- IT team A - role
- IT team B - user group
- IT team B - role
The groups appear as follows:
Step 5: Remove Inventory Hosts Admin role from the Default Access group
At this stage, despite all the steps taken above, all users still have access to all systems, regardless of the Inventory groups they are in. This is because they still have the Inventory Hosts Administrator role, which allows them to see all systems, whether or not they are grouped into Inventory groups.
To limit access to systems, navigate to User Access > Groups and select the Default Access group. Remove the Inventory Hosts Administrator role from this group.
If the users are also members of additional User Access Groups, make sure to review and remove the Inventory Hosts Administrator role from those groups as needed.
Once the role has been removed, the User Access controls behave as expected: Users given custom roles to limit their views to certain Inventory groups and systems only see those Inventory groups and systems.
3.3.1.3. Adjustment considerations
- If you have more than two IT groups, you can create as many custom roles and user groups as you need.
- If you are trying to grant the same people the same access to multiple Inventory groups, you can select more than one Inventory group to grant permissions within the same custom role.
- You can grant access to systems that are not part of any Inventory group. Add the Ungrouped systems in the Group definition of the host permissions to the custom role.
- Remember that as long the Inventory hosts administrator role is still in the Default Access group, all users who have that role still have access to everything.
- If you do not select Ungrouped systems in your custom roles, users with those roles will not be able to see any ungrouped systems once you remove the inventory hosts administrator permission from the Default access group.
3.3.2. Scenario 2: Access to ungrouped systems
In this example, an admin wants to give a group of users access to ungrouped systems, but not to grouped systems.
Step 1: Create a custom role
- Navigate to User Access > Roles and click Create role. The Create Role wizard displays.
- Set the role name and description and click Next.
- Add the inventory:hosts permissions and click Next.
Configure both of the permissions to apply to the Group definition named Ungrouped systems. Click Next.
Review the details of the role and click Submit.
Step 2: Add the custom role to an RBAC group
- Once you create the custom role, navigate to User Access > Groups and click Create Group to create a User Access (RBAC) group.
- Name the group, select the new custom role, and select the users to whom you want to assign this role.
These steps only work when the users do not have the inventory hosts admin role assigned from the Default Access group. To check this, navigate to User Access > Groups and click on the Default Access group at the top. If that role is in the group, remove it, because that role gives users access to the whole inventory - including both ungrouped and grouped systems.
After you remove the role, the selected set of users only has access to ungrouped systems in your inventory.
3.3.3. Known limitations
- Users who are Organization Administrators (members of the Default admin access group) will always have full access to systems and Inventory groups.
- A user without permission on the system will not be able to add it to a Remediation. However, if an existing Remediation with active systems was created in the past, the user will still be able to run it, even if the permissions have been removed on that system for the current user.
Before enabling Inventory groups in your organization, review your Notifications configuration to ensure that only appropriate groups of users are configured to receive Email notifications. If you do not review your Notifications configuration, users might receive alerts triggered by systems outside of their Inventory group permission scope.
Additional Resources
- For more information about user access, refer to User Access Guide for Role-based Access Control (RBAC).
