How do you protect your subscriptions on SAT 6?

Latest response

We have observed that Server Admins are able to see and attach to ALL subscriptions on the Satellite server! (Within the same organization)

Separating our departments into different Organizations is not an option because of an issue with unlimited Virtual Data Center subscription in multi-orgs setups. (Bug 1142839)

So my question is, how do you protect your subscriptions from being “stolen”. Any good ideas or workarounds?

Further info:
Bug 1685526 - [RFE] - Subscriptions added in an activation key should not be auto-attached to any other hosts (which are not registered with that activation key)
Bug 1142839 - [RFE] Usage of unlimited guest subscriptions in multi-org setups with Red Hat Satellite 6


Hello Jens,

I only provide VMs to my users that are preinstalled and do not provide them access to the subscription pool. Do your system admins have a login at your RH Satellite? If not how do they "steal" your subscriptions?

An activation key should only give them one subscription per product. So "theft" could only take place by deploying more server than you agreed up-on.

Am I missing something?


Jan Gerrit

Hi Jan,

Our System Admins do not have a login at the Satellite, but on every server registered to Satellite 6 you can simply do:

subscription-manager list –available

subscription-manager attach --pool="xxxxxxx”

And thereby you have just “stolen” a subscription from the pool

Hi Jens,

I see, that is my lack of experience with RH Satellite 6 in a production environment. In our Development and Test environment I am the SysAdmin and RH Satellite Application Manager.


Jan Gerrit

Activation keys approach is a good idea, however it just automatically attaches given subscriptions but it doesn not restrict you in attaching other ones.

There was an RFE for such a restriction: but it was denied.

Currently, the best approach is to detach/remove the stolen subscriptions. You can list hosts attached to a subscription, and e.g. to automate matrix "system XY can attach subs S1,S2,..Sn", you can use activation keys, postulating a system with an AK is supposed to attach subs just from its AK (and any other sub attached is expected as "stolen"). Based on this, you can write a script to detach potentially stolen subs automatically, e.g. once per day.