Goal	Create user accounts and organize them into teams and groups in automation controller and private automation hub, respectively, and assign them permissions to administer and access resources in each service.
Objectives	Create new users in the web UI, and explain the different types of user in automation controller. Create new teams in the automation controller web user interface, assign users to them, and explain the different roles that can be assigned to users. Create and manage users and groups for private automation hub through its web UI and configure access permissions for users by using groups.
Sections	Creating and Managing Automation Controller Users (and Guided Exercise) Managing Automation Controller Access with Teams (and Guided Exercise) Creating and Managing Users and Groups for Private Automation Hub (and Guided Exercise)
Lab	Managing User Access

Creating and Managing Automation Controller Users

Objectives

Create new users in the web UI, and explain the different types of user in automation controller.

Role-based Access Controls

Different people using an automation controller installation require different levels of access. Some might need to run existing job templates against a preconfigured inventory of machines. Others need to be able to modify particular inventories, job templates, and playbooks, or need access to change anything in the automation controller installation.

The automation controller interface has a built-in administrative user, admin, which has superuser access to the entire automation controller configuration. Setting up user accounts for each person makes it easier to manage individual access to inventories, credentials, projects, and job templates.

Users are assigned roles, which in turn grant permissions. These permissions specify who can view, change, or delete an object in automation controller. Role-based Access Controls (RBAC) manage roles. To manage roles collectively, grant them to a team. A team is a collection of users. All users in a team inherit the team’s roles.

Roles determine whether users and teams can view, use, change, or delete objects, such as inventories and projects.

Automation Controller Organizations

An automation controller organization is a logical collection of teams, projects, and inventories. All users must belong to an organization.

One of the benefits of implementing an automation controller server is sharing Ansible content, including Ansible Content Collections, roles, and automation execution environments, across departmental or functional boundaries within an enterprise. For example, an operations group of an organization might already have a custom automation execution environment for provisioning production versions of web, database, and application servers. The developers group can use the same environment to provision servers for their development environment. Automation controller makes it easier for different users and groups to use existing content collections, roles, and automation execution environments.

For large deployments, however, it can be useful to categorize large numbers of users, teams, projects, and inventories under one umbrella organization. Certain departments might not deploy to specific inventories of hosts, or run certain playbooks. By using organizations, you can configure a collection of users and teams to work with only those automation controller resources that they are expected to use.

The automation controller installation process creates a Default organization. You can create additional organizations in the web UI using the following procedure:

Log in to the automation controller web UI as the admin user.
Navigate to Access → Organizations and then click Add.
Enter a name for the new organization and, if desired, complete the optional fields.
- Use the Max Hosts field to restrict the number of hosts that the organization can manage.
- Use the Execution Environment field to specify a fallback automation execution environment if a project or job template does not explicitly specify an automation execution environment.
- Use the Galaxy Credentials field to specify credentials that can pull roles and content collections from Ansible Galaxy, automation hub, or a private automation hub.
Click Save.
Figure 2.1: Creating a new organization

Types of Users

By default, the automation controller installer creates an admin user account with full control of the automation controller installation. You can use this account to log in to the web UI and create additional users.

The three user types in automation controller are System Administrator, System Auditor, and Normal User.

System Administrator

The System Administrator user type (also known as superuser) provides unrestricted access to perform any action within the entire automation controller installation. System Administrator is a special role, which has read/write permission on all objects in all organizations on the automation controller.

The admin user created by the installer also has the System Administrator single role and should therefore only be used by the automation controller administrator.

System Auditor

The System Auditor user type also has a special single role, which has read-only access to the entire automation controller installation.

Normal User

The Normal User is the standard user type. It initially has no special roles assigned and starts with minimal access. It is not assigned any single roles and is only assigned roles associated with the organization of which the user is a member.

Creating Users

Use the following procedure to create new users:

Navigate to https://controller.lab.example.com and log in as the admin user with redhat as the password.
Navigate to Access → Users and then click Add.
Complete the First Name, Last Name, and Email fields.
Specify a unique username in the Username field.
Enter a password in the Password and Confirm Password fields.
Select a User Type and Organization. By default, new users are assigned the Normal User user type and belong to the Default organization.
Click Save.
Figure 2.2: Creating a new user

Editing Users

To modify user details, use the same fields you used to create the user.

Navigate to Access → Users and then click the Edit User icon for the user that you wish to edit.
Make the changes to any of the desired fields.
Click Save to finish.

Organization Roles

Users inherit specific roles from their organization based on their user type. You can assign additional roles to grant permissions to view, use, or change other automation controller objects. An organization is itself one of these objects.

Many roles provide access to an organization, and you can assign multiple roles to users and teams. The lecture on managing users efficiently with teams describes additional organization roles.

The following sections describe organization roles that are inherited based on user type.

The Admin Role

Users with the System Administrator single role inherit the Admin role on every organization within automation controller.

When assigned the Admin role on an organization, users gain the ability to manage all aspects of that organization, including reading and changing the organization, and adding and removing users and teams from the organization. A number of related administrative roles exist, with Admin in their names, that grant more limited access than the Admin role.

Teams cannot be assigned the Admin role in an organization.

The Auditor Role

Users with the System Auditor single role inherit the Auditor role on every organization within automation controller.

When assigned the Auditor role in an organization, users and teams gain read-only access to the organization.

The Member Role

When users are created with the Normal User type, automation controllers assign them a Member role in the organization. Other roles can be added later, including additional Member roles on other organizations.

When assigned the Member role in an organization, a user gains read permission to the organization. The organization Member role only provides a user the ability to view the list of users who are members of the organization and their assigned organization roles.

Unlike the organization Admin and Auditor roles, the Member role does not provide users permissions to any of the resources that the organization contains, such as teams, credentials, projects, inventories, job templates, workflow job templates, and notifications.

Teams cannot be assigned the Member role in an organization.

Managing User Organization Roles

Only the organization can manage the roles that a user has within that organization. You cannot manage roles by editing the user. To manage access to an organization, use the following procedure:

Log in to the automation controller web UI as admin or any user with the Admin role on the organization being modified.
Navigate to Access → Organizations and then click the name of the organization.
Click Access.

The Access page displays a list of users who have been granted roles for the organization.

To remove an existing role for a user, find the user’s row and then click the X in the role name box.

Figure 2.3: Organization roles assigned to users

To add a user to an organization, or to add additional roles to an existing user within the organization, use the following procedure:

Click Add.
Choose Users and then click Next.
Select each user that you wish to manage together. You can add the same set of roles to one or more users. If you want to assign distinct roles for each user, then only select one user at a time.
Select each role that you want to assign.
Click Save to assign roles to the user for the organization.

References

For more information about users, refer to the Automation Controller User Guide at https://docs.ansible.com/automation-controller/latest/html/userguide/users.html

For more information about organizations, refer to the Automation Controller User Guide at https://docs.ansible.com/automation-controller/latest/html/userguide/organizations.html

Discuss Managing Enterprise Automation with Red Hat Ansible Automation Platform

Go to community

Welcome to the Managing Enterprise Automation with Red Hat Ansible Automation Platform group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Managing Enterprise Automation with Red Hat Ansible Automation Platform! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO467.Read more about Managing Enterprise Automation with Red Hat Ansible Automation Platform here.

312

Revision: do467-2.2-08877c1