Read this in other languages: English, 日本語, Español.
One of the key benefits of using Automation controller is the control of users that use the system. The objective of this exercise is to understand Role Based Access Controls (RBACs) with which Automation controller admins can define tenancies, teams, roles and associate users to those roles. This gives organizations the ability to secure the automation system and satisfy compliance goals and requirements.
Lets review some Automation controller terminology:
Login to Automation controller with the admin user.
Parameter | Value |
---|---|
username | admin |
password | provided by instructor |
Confirm that you are logged in as the admin user.
Under the Access Management section, click on Organizations
As the admin
user, you will be able to view all organizations configured for Automation controller:
Note: The orgs, teams and users were auto-populated for this workshop |
---|
Examine the organizations
There are 2 organizations (other than Default):
Note:
This page gives you a summary of all the teams, users, inventories, projects and job templates associated with it. If a Organization level admin is configure you will see that as well.
Click on the Red Hat network organization.
This brings up a section that displays the details of the organization.
Click on the Administrators tab
Click on the blue Add administrators button:
Select the network-admin user and then click the blue Add administrators button
Log out from the admin user by clicking the admin button in the top right corner of the Automation controller UI:
Login to the system with the network-admin user.
Parameter | Value |
---|---|
username | network-admin |
password | provided by instructor |
Confirm that you are logged in as the network-admin user.
Click on the Organizations link on the sidebar under the Access Management
section.
You will notice that you only have visibility to the organization you are an admin of, the Red Hat network organization.
The following two Organizations are not seen anymore:
Red Hat compute organization
Default
Bonus step:
Try this as the network-operator user (same password as network-admin). What is the difference between
network-operator
andnetwork-admin
? As thenetwork-operator
are you able to view other users? Are you able to add a new user or edit user credentials?
As the network-admin
we can now setup access for the network-operator
user.
Click on Templates on the left menu
Click on the Network-Commands
job template.
Click on the User Access
tab
Click on the blue Add roles
button
Click network-operator
then click the blue Next
button at the bottom
Click on JobTemplate Execute
then click on the blue `Next button at the bottom
Review to make sure you set it up correctly, and click the blue Finish
button at the bottom.
Click the Close
button after the role is applied
Navigate back to the Network-Commands
Job Template
Verify the Survey is enabled
Verify the Survey questions
Click on the blue Save survey question
Finally, to see the RBAC in action!
Log out at admin and log back in as the network-operator user.
Parameter | Value |
---|---|
username | network-operator |
password | provided by instructor |
Navigate to Templates under the Automation Execution section, and click on the Network-Commands Job Template.
Note:
The
network-operator
user, you will have no ability to change any of the fields. The Edit button is no longer available
Launch the Network-Commands template by clicking on the Launch button:
You will be prompted by a dialog-box that lets you choose one of the pre-configured show commands.
Go ahead and choose a command and click Next and then Launch to see the playbook being executed and the results being displayed.
If time permits, log back in as the network-admin and add another show command you would like the operator to run. This will also help you see how the Admin Role of the network-admin user allows you to edit/update the job template.
Organizations
, multiple Teams
, and Users
. Something not covered in this exercise is that we do not need to manage users in Ansible Automation Platform; we can use enterprise authentication including Active Directory, LDAP, RADIUS, SAML, and TACACS+.
You have completed lab exercise 8
Previous Exercise | Next Exercise
Click here to return to the Ansible Network Automation Workshop