Exercise 8: Understanding RBAC in Automation controller

Read this in other languages: uk English, japan 日本語, Español Español.

Table of Contents


One of the key benefits of using Automation controller is the control of users that use the system. The objective of this exercise is to understand Role Based Access Controls (RBACs) with which Automation controller admins can define tenancies, teams, roles and associate users to those roles. This gives organizations the ability to secure the automation system and satisfy compliance goals and requirements.


Lets review some Automation controller terminology:

Step 1: Opening up Organizations

Step 2: Open the network organization

  1. Click on the Red Hat network organization.

    This brings up a section that displays the details of the organization.

    network organization image

  2. Click on the Access tab to see users associated with this organization.

    Observe that both the network-admin and network-operator users are associated with this organization.

Step 3: Examine Teams

  1. Click on Teams in the sidebar

    image identifying teams

  2. Examine the teams. The Automation controller admin will be able to see all available teams. There are four teams:

    • Compute T1
    • Compute T2
    • Netadmin
    • Netops

    teams window image

Step 4: Examine the Netops Team

Step 5: Login as network-admin

Step 6: Understand Team Roles

  1. To understand how different roles and therefore RBACs may be applied, log out and log back in as the admin user.

  2. Navigate to Inventories and click on the Workshop Inventory

  3. Click on the Access button

    workshop inventory window

  4. Examine the permissions assigned to each user

    permissions window

    Note: ROLES assigned for the network-admin and network-operator users. By assigning the Use Role, the network-operator user has been granted permission to use this particular inventory.

Step 7: Job Template Permissions

  1. Click on the Templates button in the left menu

  2. Click on the Network-Commands Job Template

  3. Click on the Access button at the top

    permissions window

    Note: the same users have different roles for the job template. This highlights the granularity operators can introduce with Automation controller in controlling "Who gets access to what". In this example, the network-admin can update (Admin) the Network-Commands job template, whereas the network-operator can only Execute it.

Step 8: Login as network-operator

Finally, to see the RBAC in action!

  1. Log out at admin and log back in as the network-operator user.

    Parameter Value
    username network-operator
    password provided by instructor
  2. Navigate to Templates and click on the Network-Commands Job Template.

    network commands job template

    Note that, as the network-operator user, you will have no ability to change any of the fields. The Edit button is no longer available.

Step 9: Launching a Job Template

  1. Launch the Network-Commands template by clicking on the Launch button:

  2. You will be prompted by a dialog-box that lets you choose one of the pre-configured show commands.

    pre configured survey image

  3. Go ahead and choose a command and click Next and then Launch to see the playbook being executed and the results being displayed.

Bonus Step

If time permits, log back in as the network-admin and add another show command you would like the operator to run. This will also help you see how the Admin Role of the network-admin user allows you to edit/update the job template.



You have completed lab exercise 8

Previous Exercise | Next Exercise

Click here to return to the Ansible Network Automation Workshop