DO467 - ch02s03

Create new teams in the automation controller web user interface, assign users to them, and explain the different roles that can be assigned to users.

Teams in Automation Controller

Teams are groups of users. Teams make managing roles on automation controller objects, such as inventories, projects, and job templates, more efficient than managing roles for each user separately. Automation controller administrators can assign roles to teams. All team members inherit the roles assigned to that team.

This means that you do not have to assign the same roles to multiple, individual users.

In automation controller, users exist as objects at an automation controller-wide level. Therefore, a user can have roles in multiple organizations.

By contrast, a team belongs to exactly one organization. However, an admin user can assign the team roles on resources that belong to other organizations.

You can assign organization roles to teams.

Creating Teams

Use the following procedure to create teams within each organization:

Log in to the automation controller web UI as the admin user or as a user assigned the Admin role for the organization in which you intend to create the new team.
Navigate to Access → Teams and then click Add.
Enter a name for the new team in the Name field.
If desired, enter a description in the Description field.
In the Organization field choose the Default organization, or click the search icon to select a different organization.
Click Save.

Team Roles

You can assign roles to users for a particular team. These roles control whether the user can manage the team, or can only view team membership.

You can assign multiple team roles to users. These roles are described in the following sections.

The Member Role

Users with the team Member role inherits roles on automation controller resources granted to the team. It also grants users the ability to view the team’s users and associated team roles.

The Admin Role

The Admin team role grants users full control of the team. Users with this team role can manage the team’s users and their associated team roles. Users with Admin team roles can also manage the team’s roles on resources for which the team has been assigned the Admin role.

Users with Admin team roles can only manage the team’s roles on a resource when the resource also grants the Admin team role on itself. Just because a team Admin can manage team membership, it does not imply that the team Admin has any rights to manage roles on objects to which the team has access.

For example, for a user to grant a team the Use role for a project, the user must have the Admin role for both the team and the project.

The Read Role

The Read team role gives users the ability to view the team’s users and their associated team roles. A user assigned a Read team role does not inherit roles that the team has been granted on automation controller resources.

Note

In practice, most organizations do not use team roles other than Member. Instead, team membership is managed through an external authentication source, or the Organization Administrator and System Administrator roles are used for administrative purposes and System Auditor for auditing requirements instead of Read on individual teams.

Adding Users to a Team and Assigning Team Roles

After you have created a team, you can add users to that team. Add users to a team by assigning one or more team roles using the following procedure:

Log in to the automation controller web UI as the admin user or as a user assigned the Admin role for the organization to which the team belongs.
Navigate to Access → Teams and then click the link for the name of a team.
Click the Access tab and then click Add.
Select Users and then click Next.
Select each user that you want to manage together. You can add the same set of team roles to one or more users. If you want to assign distinct team roles for each user, then only select one user at a time.
Select each team role that you want to assign.
Click Save.

Associating a User with a Team

You can also assign the Member role to a user by associating the user with a team. This process is the equivalent of adding a user to a team and assigning the Member role to the user.

Log in to the automation controller web UI as the admin user or as a user assigned the Admin role for the organization to which the team belongs.
Navigate to Access → Users and then click the link for the name of a user.
Click the Teams tab. Associating a user with a team adds the team Member role. Disassociating a user from a team removes the team Member role.
Figure 2.4: Team membership for a user
Click Associate.
Assign team membership by selecting a team name and then click Save.
Figure 2.5: Assign team membership

Organization Roles

As previously stated, many roles provide access to an organization and multiple roles can be assigned to users and teams.

The following organization roles can be assigned to both users and teams.

Execute: A user with the Execute role has permission to execute job templates and workflow job templates belonging to the organization.
Admin: A user with the Admin role has full administrative control over the organization and its objects.
Project Admin: A user with the Project Admin role can create, read, update and delete any project in the organization. In conjunction with the Inventory Admin permission, this allows users to create job templates.
Inventory Admin: A user with the Inventory Admin role can create, read, update and delete any inventory in the organization. In conjunction with the Job Template Admin and Project Admin roles, this allows the user full control over job templates within the organization.
Credential Admin: A user with the Credential Admin role can manage all credentials of the organization.
Workflow Admin: A user with the Workflow Admin role can manage all workflows of the organization.
Notification Admin: A user with the Notification Admin role can manage all notifications belonging to the organization.
Job Template Admin: A user with the Job Template Admin role can make changes to nonsensitive fields within job templates. To make changes to fields that impact job runs, the user also needs the Admin role on the job template, the Use role on the related project, and the Use role in the related inventory.
Execution Environment Admin: A user with the Execution Environment Admin role can manage all execution environments of the organization.
Auditor: When assigned the Auditor role on an organization, a user gains read-only access to the organization.
Read: When assigned the Read role on an organization, a user gains read permission to the organization only. The organization Read role only provides a user with the ability to view the list of users who are members of the organization and their assigned organization roles. Unlike the organization Admin and Auditor roles, the Read role does not inherit roles on any of the resources that the organization contains, such as teams, credentials, projects, inventories, job templates, workflow job templates, and notifications. The organization object cannot be assigned roles on automation controller resources. Therefore, a user that has the Member role on an organization only has access to the organization object and inherits no other permissions as a result of this role. Consequently, a user that has the Member role on an organization is the equivalent of a user that has the Read role on an organization.
Approve: A user with the Approve role can approve or deny a workflow approval node.

Managing Organization Roles

Use the following procedure to manage access to an organization:

Log in to the automation controller web UI as admin or any user with the Admin role on the organization being modified.
Navigate to Access → Organizations and then click the name of the organization.
Click the Access tab.

The Access page displays a list of users who have been granted roles for the organization. Roles are categorized as User Roles if they were assigned to an individual role or as Team Roles if they were assigned to a team.

To remove an existing role for a user, find the user’s row and then click the X in the role name box. Removing a team role removes the role from all team members, not just for an individual user.

Use the following procedure to assign organization roles to users and teams:

Click Add.
Choose either Users or Teams and then click Next. You cannot assign roles to both users and teams at the same time.
Select each user or team that you want to manage together. You can add the same set of roles to one or more users or teams. If you want to assign distinct roles for each user or team, then only select one user or team at a time.
Select each role that you want to assign.
Click Save.

References

For more information about teams, refer to the Automation Controller User Guide at https://docs.ansible.com/automation-controller/latest/html/userguide/teams.html

For more information about organizations, refer to the Automation Controller User Guide at https://docs.ansible.com/automation-controller/latest/html/userguide/organizations.html

Discuss Managing Enterprise Automation with Red Hat Ansible Automation Platform

Go to community

Welcome to the Managing Enterprise Automation with Red Hat Ansible Automation Platform group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Managing Enterprise Automation with Red Hat Ansible Automation Platform! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO467.Read more about Managing Enterprise Automation with Red Hat Ansible Automation Platform here.

312

Revision: do467-2.2-08877c1