Red Hat Satellite 6 Administration
- Section Delegate Tasks with User Roles
- Guided Exercise: Delegate Tasks with User Roles
- Configure Backup and Restore Operations
- Guided Exercise: Configure Backup and Restore Operations
- Manage Red Hat Satellite Databases
- Guided Exercise: Manage Red Hat Satellite Databases
- Export and Import Content Views
- Guided Exercise: Export and Import Content Views
- Lab: Maintain a Red Hat Satellite Server
- Summary
Abstract
| Goal |
Maintain Red Hat Satellite for security, recoverability, and growth. |
| Objectives |
|
| Sections |
|
| Lab |
|
Create users and groups, and assign roles and permissions, to securely delegate Red Hat Satellite tasks.
In Red Hat Satellite 6, a user is a unique individual who can access and use the system. Every user has a profile, which contains information such as their name, email address, and password. The locations, organizations, and roles that are assigned to a Satellite user determine which objects they can view or manipulate within Satellite Server.
To create a user, navigate to → . Click . A page loads with the , , , , , and tabs.
In the tab, specify the username, password, password verification, and selection. The field points to the service that provides user storage and authentication, such as an external LDAP server that is integrated. If you choose in the field, then the user record is created in Satellite's internal database, which also requires entering a password. All other fields are optional for the user creation and can be updated later.
The selected values in the and tabs limit the scope of which Satellite objects the user can access. Set the field to the most commonly used location and organization for that user. That default context is set each time that the user logs in. The user can switch to any other assigned location or organization after they log in.
Roles determine the Satellite resources that a user can access and manage within Satellite. A user can be assigned multiple roles, as specified in the tab in the user's profile. The special role grants a user full access and permissions to Satellite Server.
SSH public keys can be assigned to a user on the tab. These keys can be deployed on systems that the user provisioned, so that the user can log in without a password. Click after all the tabs are completed and reviewed.
Administrators can edit or delete users by using the → page. To edit a user, click the hyperlink in the field to access the user's profile. To delete a user account, click in the column.
To update the password of an internal user, navigate to → and click the user to update. Enter the new password in and confirm the password in .
If you forget the admin user password, then you can reset it by using the foreman-rake permissions:reset command.
More details of the admin user password reset are covered in the section called “
Install Red Hat Satellite
”.
Individual Satellite users are assigned roles that grant privileges to Satellite resources. As a Satellite administrator, you can create Satellite user groups to manage collections of Satellite users.
Manage user groups on the → page. Click . Provide a unique name, and then select users to be members of the group. User groups can also contain other user groups.
Administrators can edit or delete existing user groups on the → page. To edit a user group, click the hyperlink in the field to access the user group's profile. To delete a user group, click in the column.
Red Hat Satellite supports the use of LDAP servers for authenticating users. Satellite user groups can also be mapped to external user groups that an LDAP server provides. Satellite supports POSIX-compliant LDAP, Red Hat Identity Manager (FreeIPA), and Microsoft Active Directory servers as authentication sources.
Navigate to → to manage external authentication sources. Click to begin configuring a new authentication source.
The tab is where LDAP host connections are configured. Required information includes the server's fully qualified host name, the network port, whether to use encrypted communication, and the LDAP server type (POSIX, FreeIPA, or Active Directory). Click to verify that the specified settings communicate with the LDAP server.
The tab specifies the privileged account that is configured to perform queries on the LDAP server. The top-level domain name of the LDAP directory is specified in the field. You can enter a custom LDAP search filter in the field to limit LDAP queries, which can improve server efficiency and response times. Select for the Satellite Server to create a corresponding Satellite user the first time that an LDAP user authenticates. The Satellite user account stores authorization information, such as role, group, and permission assignments. The LDAP server continues to store and validate the user authentication and password.
The tab is used to map LDAP attributes to Satellite user profile data elements. Attributes that can be mapped include the login name, first name, surname, email address, and photo.
Red Hat Satellite uses Role Based Access Control (RBAC), to control which Satellite resources users can access, and which actions they can perform on those resources. Satellite is configured with predefined roles for standard Satellite tasks. Predefined roles are used for configuration management integration, and external tools can also use them. These predefined roles are locked to prevent changes.
Satellite administrators can create roles manually or by cloning and customizing any existing role, including predefined roles. You can assign a role to a user group to manage several user privileges without manually configuring each user. You can manage the roles that are assigned to a user group on the → page. Click the user group to manage, and click the tab.
To create a role, navigate to → and click . Enter a unique name, and then click to create the role without filters. You must create the role before you can manage its filters.
An alternative way to create a role is to clone an existing one. Navigate to → and select from the list on the existing role's row. Enter a unique name, and then click . The new role initially has the same filters as the original role.
Role filters grant permissions to Satellite resources. To manage role filters, click the role name on the → page, and then click the tab. Existing filters for cloned roles appear as a list, and are sorted by resource type.
Existing role filters can be deleted or edited from the menu in the column. Click to create a filter for the selected role. Grant access to a resource type by selecting it from the menu. A list of available permissions is displayed for that resource. Each resource type has a list of valid user permissions for that type. Typically, permissions are available for viewing, creating, editing, and deleting.
By default, role filters apply to all resources of the selected type. Clearing the checkbox can provide more granular control. Clicking the field generates a menu of field names and operators to use to select resources. The syntax of this search expression is as follows:
field_name operator value
This expression limits the resources that this filter matches for this role.
References
For more information, see the Managing Users and Roles chapter in the Administering Red Hat Satellite guide at https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/administering_red_hat_satellite/index#Managing_Users_and_Roles_admin
