Chapter 4. Configuring user access for your private automation hub

You can manage user access to content and features in automation hub by creating groups of users that have specific permissions.

4.1. Implementing user access

User access is based on managing permissions to system objects (users, groups, namespaces) rather than by assigning permissions individually to specific users.

You assign permissions to the groups that you create. You can then assign users to these groups. This means that each user in a group has the permissions assigned to that group.

Groups created in private automation hub can range from system administrators responsible for governing internal collections, configuring user access, and repository management to groups with access to organize and upload internally developed content to the private automation hub.

Additional resources

4.1.1. Default user access for private automation hub

When you install automation hub, the system automatically creates the default admin user in the Admin group. The Admin group is assigned all permissions in the system.

The following sections describe the workflows associated with organizing your users who will access private automation hub and providing them with required permissions to reach their goals. See the permissions reference table for a full list and description of all permissions available.

4.1.2. Creating a new group in private automation hub

You can create and assign permissions to a group in private automation hub that enables users to access specified features in the system. By default, the Admin group in the automation hub has all permissions assigned and is available on initial login. Use the credentials created when installing private automation hub.

For more information, see Creating a new group in private automation hub in the Getting started with automation hub guide.

4.1.3. Assigning permissions to groups

By default, new groups do not have any assigned permissions. You can assign permissions to groups in private automation hub that enable users to access specific features in the system.

You can add permissions when first creating a group or edit an existing group to add or remove permissions

For more information, see Assigning permissions to groups in the Getting started with automation hub guide.

4.1.4. Creating new users and giving them permissons

After you create a user in private automation hub, you can give them permissions by adding them to groups. Each group that can access features in the system associated to the level of assigned permissions.

Prerequisites

  • You have user permissions and can create users in private automation hub.

Procedure

  1. Log in to your private automation hub.
  2. From the navigation panel, select User AccessUsers.
  3. Click Create user.
  4. Enter information in the field. Username and Password are required.
  5. Optional: To assign the user to a group, click the Groups field and select from the list of groups.
  6. Click Save.

The new user is now displayed in the list on the Users page.

4.1.5. Creating a super user

If you want to spread administration across your team, you can create a super user in private automation hub.

Prerequisites

  • You must be a Super user.

Procedure

  1. Log in to your private automation hub.
  2. From the navigation panel, select User AccessUsers.
  3. Select the user that you want to make a super user. The User details for that user are displayed.
  4. Under User type, select Super User.

The user now has Super user permissions.

4.1.6. Adding users to existing groups

You can add users to groups when you create a group. But, you can also manually add users to existing groups.

For more information, see Adding users to existing groups in the Getting started with automation hub guide.

4.1.7. Creating a new group for content curators

You can create a new group in private automation hub designed to support content curation in your organization. This group can contribute internally developed collections for publication in private automation hub.

To help content developers create a namespace and upload their internally developed collections to private automation hub, you must first create and edit a group and assign the required permissions.

Prerequisites

  • You have administrative permissions in private automation hub and can create groups.

Procedure

  1. Log in to your private automation hub.
  2. From the navigation panel, select User AccessGroups and click Create.
  3. Enter Content Engineering as a Name for the group in the modal and click Create. You have created the new group and the Groups page opens.
  4. On the Permissions tab, click Edit.
  5. Under Namespaces, add permissions for Add Namespace, Upload to Namespace, and Change Namespace.
  6. Click Save.

    The new group is created with the permissions that you assigned. You can then add users to the group.

  7. Click the Users tab on the Groups page.
  8. Click Add.
  9. Select users and click Add.

4.1.8. Automation hub permissions

Permissions provide a defined set of actions each group can perform on a given object. Determine the required level of access for your groups based on the permissions described in this table.

Table 4.1. Permissions Reference Table

ObjectPermissionDescription

collection namespaces

Add namespace

Upload to namespace

Change namespace

Delete namespace

Groups with these permissions can create, upload collections, and delete a namespace.

collections

Modify Ansible repo content

Delete collections

Groups with this permission can perform these actions:

Move content between repositories by using the Approval feature.

Certify or reject features to move content from the staging to published or rejected repositories.

Delete collections.

users

View user

Delete user

Add user

Change user

Groups with these permissions can manage user configuration and access in private automation hub.

groups

View group

Delete group

Add group

Change group

Groups with these permissions can manage group configuration and access in private automation hub.

collection remotes

Change collection remote

View collection remote

Groups with these permissions can configure a remote repository by navigating to CollectionRepositories.

containers

Change container namespace permissions

Change containers

Change image tags

Create new containers

Push to existing containers

Delete container repository

Groups with these permissions can manage container repositories in private automation hub.

remote registries

Add remote registry

Change remote registry

Delete remote registry

Groups with these permissions can add, change, or delete remote registries added to private automation hub.

task management

Change task

Delete task

View all tasks

Groups with these permissions can manage tasks added to Task Management in private automation hub.

4.1.9. Deleting a user from private automation hub

When you delete a user account, the name and email of the user are permanently removed from private automation hub.

Prerequisites

  • You have user permissions in private automation hub.

Procedure

  1. Log in to private automation hub.
  2. From the navigation panel, select User AccessUsers.
  3. Click Users to display a list of the current users.
  4. Click the More Actions icon icon beside the user that you want to remove, then click Delete.
  5. Click Delete in the warning message to permanently delete the user.

4.2. Enable view-only access for your private automation hub

By enabling view-only access, you can grant access for users to view collections or namespaces on your private automation hub without requiring them to log in. View-only access allows you to share content with unauthorized users while restricting their ability to view or download source code. They will not have permissions to edit anything on your private automation hub.

To enable view-only access for your private automation hub, you must edit the inventory file on your Red Hat Ansible Automation Platform installer.

  • If you are installing a new instance of Ansible Automation Platform, add the automationhub_enable_unauthenticated_collection_access and automationhub_enable_unauthenticated_collection_download parameters to your inventory file along with your other installation configurations:
  • If you are updating an existing Ansible Automation Platform installation to include view-only access, add the automationhub_enable_unauthenticated_collection_access and automationhub_enable_unauthenticated_collection_download parameters to your inventory file and then run the setup.sh script to apply the updates:

Procedure

  1. Navigate to the installer.

    Bundled installer
    $ cd ansible-automation-platform-setup-bundle-<latest-version>
    Online installer
    $ cd ansible-automation-platform-setup-<latest-version>
  2. Open the inventory file with a text editor.
  3. Add the automationhub_enable_unauthenticated_collection_access and automationhub_enable_unauthenticated_collection_download parameters to the inventory file and set both to True, following the example below:

    [all:vars]
    
    automationhub_enable_unauthenticated_collection_access = True 1
    automationhub_enable_unauthenticated_collection_download = True 2
    1
    Allows unauthorized users to view collections
    2
    Allows unathorized users to download collections
  4. Run the setup.sh script. The installer enables view-only access to your private automation hub.

Verification

After the installation is complete, verify that you have view-only access on your private automation hub by attempting to view content on your private automation hub without logging in.

  1. Navigate to your private automation hub.
  2. On the login screen, click View only mode.

Verify that you are able to view content on your automation hub, such as namespaces or collections, without having to log in.