Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Creating and managing roles

Roles define a set of permissions and access levels. Each role contains one or more permission filters that specify the actions allowed for the role. Actions are grouped according to the Resource type. Once a role has been created, users and user groups can be associated with that role. This way, you can assign the same set of permissions to large groups of users.

10.1. Creating a role by using Satellite web UI
Copy link

Use this procedure to create a role by using Satellite web UI.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Click Create Role.
  3. Provide a Name for the role.
  4. Click Submit to save your new role.

Next steps

  • Add permissions to the role. To serve its purpose, a role must contain permissions.

10.2. Creating a role by using Hammer CLI
Copy link

Use this procedure to create a role by using Hammer CLI.

Procedure

  • Create a role: 

    $ hammer role create --name My_Role_Name
    Copy to Clipboard Toggle word wrap

Next steps

  • Add permissions to the role. To serve its purpose, a role must contain permissions.

10.3. Cloning a role
Copy link

Use the Satellite web UI to clone a role.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles and select Clone from the drop-down menu to the right of the required role.
  2. Provide a Name for the role.
  3. Click Submit to clone the role.
  4. Click the name of the cloned role and navigate to Filters.
  5. Edit the permissions as required.
  6. Click Submit to save your new role.

Example 10.1. Creating an organization-specific manager role

Use the Satellite web UI to create an administrative role restricted to a single organization named org-1.

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Clone the existing Organization admin role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 admin.
  3. Click the desired locations and organizations to associate them with the role.
  4. Click Submit to create the role.
  5. Click org-1 admin, and click Filters to view all associated filters. The default filters work for most use cases. However, you can optionally click Edit to change the properties for each filter. For some filters, you can enable the Override option if you want the role to be able to access resources in additional locations and organizations. For example, by selecting the Domain resource type, the Override option, and then additional locations and organizations using the Locations and Organizations tabs, you allow this role to access domains in the additional locations and organizations that is not associated with this role. You can also click New filter to associate new filters with this role.

Use this procedure to add permissions to a role by using Satellite web UI.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Select Add Filter from the drop-down list to the right of the required role.
  3. Select the Resource type from the drop-down list. The (Miscellaneous) group gathers permissions that are not associated with any resource group.
  4. Click the permissions you want to select from the Permission list.
  5. Depending on the Resource type selected, you can select or deselect the Unlimited and Override checkbox. The Unlimited checkbox is selected by default, which means that the permission is applied on all resources of the selected type. When you disable the Unlimited checkbox, the Search field activates. In this field you can specify further filtering with use of the Satellite search syntax. For more information, see Section 10.10, “Granular permission filtering”. When you enable the Override checkbox, you can add additional locations and organizations to allow the role to access the resource type in the additional locations and organizations; you can also remove an already associated location and organization from the resource type to restrict access.
  6. Click Next.
  7. Click Submit to save changes.

Use this procedure to add permissions to a role by using Hammer CLI.

Procedure

  1. List all available permissions: 

    $ hammer filter available-permissions
    Copy to Clipboard Toggle word wrap

  2. Add permissions to a role: 

    $ hammer filter create \
--permission-ids My_Permission_ID_1,My_Permission_ID_2 \
--role My_Role_Name
    Copy to Clipboard Toggle word wrap

    For more information about roles and permissions parameters, enter the hammer role --help and hammer filter --help commands.

10.6. Viewing permissions of a role
Copy link

Use the Satellite web UI to view the permissions of a role.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.

  2. Click Filters to the right of the required role to get to the Filters page.

    The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your Satellite system. For more information, see Section 10.7, “Creating a complete permission table”.

10.7. Creating a complete permission table
Copy link

Use the Satellite CLI to create a permission table.

Procedure

  1. Start the Satellite console: 

    # foreman-rake console
    Copy to Clipboard Toggle word wrap

  2. Insert the following code into the console: 

    f = File.open('/tmp/table.html', 'w')

result = Foreman::AccessControl.permissions {|a,b| a.security_block <=> b.security_block}.collect do |p|
      actions = p.actions.collect { |a| "<li>#{a}</li>" }
      "<tr><td>#{p.name}</td><td><ul>#{actions.join('')}</ul></td><td>#{p.resource_type}</td></tr>"
end.join("\n")

f.write(result)
    Copy to Clipboard Toggle word wrap

    The above syntax creates a table of permissions and saves it to the /tmp/table.html file.

  3. Press Ctrl + D to exit the Satellite console.

  4. Insert the following text at the first line of /tmp/table.html: 

    <table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>
    Copy to Clipboard Toggle word wrap

  5. Append the following text at the end of /tmp/table.html: 

    </table>
    Copy to Clipboard Toggle word wrap
  6. Open /tmp/table.html in a web browser to view the table.

10.8. Removing a role
Copy link

Use the following procedure to remove a role from Satellite.

Procedure

  1. In the Satellite web UI, navigate to Administer > Roles.
  2. Select Delete from the drop-down list to the right of the role to be deleted.
  3. Click Confirm to delete the role.

10.9. Predefined roles available in Satellite
Copy link

The following table provides an overview of permissions that predefined roles in Satellite grant to a user.

For a complete set of predefined roles and the permissions they grant, log in to Satellite web UI as the privileged user and navigate to Administer > Roles. For more information, see Section 10.6, “Viewing permissions of a role”.

Expand
Predefined rolePermissions the role providesAdditional information

Auditor

View the Audit log.

 

Default role

View tasks and jobs invocations.

Satellite automatically assigns this role to every user in the system.

Manager

View and edit global settings.

 

Organization admin

All permissions except permissions for managing organizations.

An administrator role defined per organization. The role has no visibility into resources in other organizations.

By cloning this role and assigning an organization, you can delegate administration of that organization to a user.

Site manager

View permissions for various items.

Permissions to manage hosts in the infrastructure.

A restrained version of the Manager role.

System admin

Edit global settings in Administer > Settings.

View, create, edit, and destroy users, user groups, and roles.

View, create, edit, destroy, and assign organizations and locations but not view resources within them.

Users with this role can create users and assign all roles to them. Give this role only to trusted users.

Viewer

View the configuration of every element of the Satellite structure, logs, reports, and statistics.

 

10.10. Granular permission filtering
Copy link

Red Hat Satellite provides the ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the Satellite database and are supported by the majority of resource types.

Use this procedure to create a granular permission filter from the Satellite web UI.

Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field does not prevent the user from assigning a custom name to the newly created location.

Procedure

  1. Specify a query in the Search field on the Edit Filter page. Deselect the Unlimited checkbox for the field to be active. Queries have the following form: 

    field_name operator value
    Copy to Clipboard Toggle word wrap
    • field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.
    • operator specifies the type of comparison between field_name and value. See Section 10.10.4, “Supported operators for granular search” for an overview of applicable operators.

    • value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.

      Note

      For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, you can combine queries using logical operators such as and, not and has operators.

Use this procedure to create a granular permission filter by using Hammer CLI.

Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field does not prevent the user from assigning a custom name to the newly created location.

Procedure

  • To create a granular filter, enter the hammer filter create command with the --search option to limit permission filters, for example: 

    $ hammer filter create \
--permission-ids 91 \
--search "name ~ ccv*" \
--role qa-user
    Copy to Clipboard Toggle word wrap

    This command adds to the qa-user role a permission to view, create, edit, and destroy content views that only applies to content views with name starting with ccv.

As an administrator, you can allow selected users to make changes in a certain part of the environment path. For example, you can allow users to work with content while it is in the development stage of the application lifecycle, but not once the content is pushed to production.

The following query applies any permissions specified for the Host resource type only to hosts in the group named host-editors: 

hostgroup = host-editors
Copy to Clipboard Toggle word wrap

The following query returns records where the name matches XXXX, Yyyy, or zzzz example strings: 

name ^ (XXXX, Yyyy, zzzz)
Copy to Clipboard Toggle word wrap

You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example: 

Dev
Copy to Clipboard Toggle word wrap

You can limit user permissions to a certain organization or location with the use of the granular permission filter in the Search field. However, some resource types provide a GUI alternative, an Override checkbox that provides the Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. For more information, see Section 10.3, “Cloning a role”.

10.10.4. Supported operators for granular search
Copy link

You can use logical and symbolic operators to build precise search queries when limiting user permissions.

Expand
Table 10.1. Logical operators

Operator

Description

and

Combines search criteria.

not

Negates an expression.

has

Object must have a specified property.

Expand
Table 10.2. Symbolic operators

Operator

Description

=

Is equal to. An equality comparison that is case-sensitive for text fields.

!=

Is not equal to. An inversion of the = operator.

~

Like. A case-insensitive occurrence search for text fields.

!~

Not like. An inversion of the ~ operator.

^

In. An equality comparison that is case-sensitive search for text fields. This generates a different SQL query to the Is equal to comparison, and is more efficient for multiple value comparison.

!^

Not in. An inversion of the ^ operator.

>, >=

Greater than, greater than or equal to. Supported for numerical fields only.

<, ⇐

Less than, less than or equal to. Supported for numerical fields only.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top