Exercise 8: Understanding RBAC in Automation controller

Read this in other languages: uk English, japan 日本語, Español Español.

Table of Contents

Objective

One of the key benefits of using Automation controller is the control of users that use the system. The objective of this exercise is to understand Role Based Access Controls (RBACs) with which Automation controller admins can define tenancies, teams, roles and associate users to those roles. This gives organizations the ability to secure the automation system and satisfy compliance goals and requirements.

Guide

Lets review some Automation controller terminology:

Step 1: Opening up Organizations

Note:

This page gives you a summary of all the teams, users, inventories, projects and job templates associated with it. If a Organization level admin is configure you will see that as well.

Step 2: Open the network organization

  1. Click on the Red Hat network organization.

    This brings up a section that displays the details of the organization.

    network organization image

Step 3: Add network-admin as an administrator

  1. Click on the Administrators tab

    administrator tab

  2. Click on the blue Add administrators button:

    add admin button

  3. Select the network-admin user and then click the blue Add administrators button

    add admin window

Step 4: Login as network-admin

  1. Log out from the admin user by clicking the admin button in the top right corner of the Automation controller UI:

    logout image

  2. Login to the system with the network-admin user.

    Parameter Value
    username network-admin
    password provided by instructor
  3. Confirm that you are logged in as the network-admin user.

    picture of network admin

  4. Click on the Organizations link on the sidebar under the Access Management section.

You will notice that you only have visibility to the organization you are an admin of, the Red Hat network organization.

The following two Organizations are not seen anymore:

Bonus step:

Try this as the network-operator user (same password as network-admin). What is the difference between network-operator and network-admin? As the network-operator are you able to view other users? Are you able to add a new user or edit user credentials?

Step 5: Give job template access to the network-operator user

As the network-admin we can now setup access for the network-operator user.

  1. Click on Templates on the left menu

    job templates

  2. Click on the Network-Commands job template.

    network banner

  3. Click on the User Access tab

    user access

  4. Click on the blue Add roles button

    add roles button

  5. Click network-operator then click the blue Next button at the bottom

    add user window

  6. Click on JobTemplate Execute then click on the blue `Next button at the bottom

    add role user

  7. Review to make sure you set it up correctly, and click the blue Finish button at the bottom.

    finish window

  8. Click the Close button after the role is applied

    close window

Step 6: Verify the Network-Commands job template

  1. Navigate back to the Network-Commands Job Template

    network commands job template

  2. Verify the Survey is enabled

verify survey

  1. Verify the Survey questions

    verify survey questions

  2. Click on the blue Save survey question

Step 7: Login as network-operator

Finally, to see the RBAC in action!

  1. Log out at admin and log back in as the network-operator user.

    Parameter Value
    username network-operator
    password provided by instructor
  2. Navigate to Templates under the Automation Execution section, and click on the Network-Commands Job Template.

    network commands job template

Note:

The network-operator user, you will have no ability to change any of the fields. The Edit button is no longer available

Step 8: Launching a Job Template

  1. Launch the Network-Commands template by clicking on the Launch button:

  2. You will be prompted by a dialog-box that lets you choose one of the pre-configured show commands.

    pre configured survey image

  3. Go ahead and choose a command and click Next and then Launch to see the playbook being executed and the results being displayed.

Bonus Step

If time permits, log back in as the network-admin and add another show command you would like the operator to run. This will also help you see how the Admin Role of the network-admin user allows you to edit/update the job template.

Takeaways

Complete

You have completed lab exercise 8


Previous Exercise | Next Exercise

Click here to return to the Ansible Network Automation Workshop