Read this in other languages: 
English, 
日本語, 
Español.
- Exercise 8: Understanding RBAC in Automation controller
- Table of Contents
- Objective
- Guide
- Step 1: Opening up Organizations
- Step 2: Open the network organization
- Step 3: Add network-admin as an administrator
- Step 4: Login as network-admin
- Step 5: Give job template access to the network-operator user
- Step 6: Verify the Network-Commands job template
- Step 7: Login as network-operator
- Step 8: Launching a Job Template
- Bonus Step
- Takeaways
- Complete
One of the key benefits of using Automation controller is the control of users that use the system. The objective of this exercise is to understand Role Based Access Controls (RBACs) with which Automation controller admins can define tenancies, teams, roles and associate users to those roles. This gives organizations the ability to secure the automation system and satisfy compliance goals and requirements.
Lets review some Automation controller terminology:
- Organizations: Defines a tenancy for example Network-org, Compute-org. This might be reflective of internal organizational structure of the customer's organization.
- Teams: Within each organization, there may be more than one team. For instance tier1-helpdesk, tier2-support, tier3-support, build-team etc.
- Users: Users typically belong to teams. What the user can do within Automation controller is controlled/defined using roles
- Roles: Roles define what actions a user may perform. This can map very nicely to typical network organizations that have restricted access based on whether the user is a Level-1 helpdesk person, Level-2 or senior admin. Automation controller documentationdefines a set of built-in roles.
-
Login to Automation controller with the admin user.
Parameter Value username adminpassword provided by instructor -
Confirm that you are logged in as the admin user.
-
Under the Access Management section, click on Organizations
As the
adminuser, you will be able to view all organizations configured for Automation controller:Note: The orgs, teams and users were auto-populated for this workshop -
Examine the organizations
There are 2 organizations (other than Default):
- Red Hat compute organization
- Red Hat network organization
Note:
This page gives you a summary of all the teams, users, inventories, projects and job templates associated with it. If a Organization level admin is configure you will see that as well.
-
Click on the Red Hat network organization.
This brings up a section that displays the details of the organization.
-
Click on the Administrators tab
-
Click on the blue Add administrators button:
-
Select the network-admin user and then click the blue Add administrators button
-
Log out from the admin user by clicking the admin button in the top right corner of the Automation controller UI:
-
Login to the system with the network-admin user.
Parameter Value username network-admin password provided by instructor -
Confirm that you are logged in as the network-admin user.
-
Click on the Organizations link on the sidebar under the
Access Managementsection.
You will notice that you only have visibility to the organization you are an admin of, the Red Hat network organization.
The following two Organizations are not seen anymore:
Red Hat compute organizationDefault
Bonus step:
Try this as the network-operator user (same password as network-admin). What is the difference between
network-operatorandnetwork-admin? As thenetwork-operatorare you able to view other users? Are you able to add a new user or edit user credentials?
As the network-admin we can now setup access for the network-operator user.
-
Click on Templates on the left menu
-
Click on the
Network-Commandsjob template.
-
Click on the
User Accesstab
-
Click on the blue
Add rolesbutton
-
Click
network-operatorthen click the blueNextbutton at the bottom
-
Click on
JobTemplate Executethen click on the blue `Next button at the bottom
-
Review to make sure you set it up correctly, and click the blue
Finishbutton at the bottom.
-
Click the
Closebutton after the role is applied
-
Navigate back to the
Network-CommandsJob Template
-
Verify the Survey is enabled
-
Verify the Survey questions
-
Click on the blue
Save survey question
Finally, to see the RBAC in action!
-
Log out at admin and log back in as the network-operator user.
Parameter Value username network-operatorpassword provided by instructor -
Navigate to Templates under the Automation Execution section, and click on the Network-Commands Job Template.
Note:
The
network-operatoruser, you will have no ability to change any of the fields. The Edit button is no longer available
-
Launch the Network-Commands template by clicking on the Launch button:
-
You will be prompted by a dialog-box that lets you choose one of the pre-configured show commands.
-
Go ahead and choose a command and click Next and then Launch to see the playbook being executed and the results being displayed.
If time permits, log back in as the network-admin and add another show command you would like the operator to run. This will also help you see how the Admin Role of the network-admin user allows you to edit/update the job template.
- Using Ansible Automation Platform's powerful RBAC feature, you can see it is easy to restrict access to operators to run prescribed commands on production systems without requiring them to have access to the systems themselves.
-
Ansible Automation Platform can support multiple
Organizations, multipleTeams, andUsers. Something not covered in this exercise is that we do not need to manage users in Ansible Automation Platform; we can use enterprise authentication including Active Directory, LDAP, RADIUS, SAML, and TACACS+. - If there needs to be an exception (a user needs access but not their entire team), this is also possible. The granularity of RBAC can be down to the credential, inventory, or Job Template for an individual user.
You have completed lab exercise 8
Previous Exercise | Next Exercise
Click here to return to the Ansible Network Automation Workshop