Language and Page Formatting Options
16.4. Granular Permission Filtering
As mentioned in Section 16.3.2, “Adding Permissions to an Existing Role”, Red Hat Satellite provides an ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the Satellite database and are supported by the majority of resource types.
To create a granular filter, specify a query in the Search field on the Edit Filter page. Deselect the Unlimited check box for the field to be active. Queries have the following form:
field_name operator value
- field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.
- operator specifies the type of comparison between field_name and value. See Table 16.2, “Supported Operators for Granular Search” for an overview of applicable operators.
- value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.
For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, it is also possible to combine the queries by using the and and or operators.
Table 16.2. Supported Operators for Granular Search
|=||Is equal to. An equality comparison that is case-sensitive for text fields.|
|!=||Is not equal to. An inversion of the = operator.|
|~||Like. A case-insensitive occurrence search for text fields.|
|!~||Not like. An inversion of the ~ operator.|
|^||Starts with. A case-insensitive search for text fields starting with a certain string.|
|!^||Does not start with. An inversion of the ^ operator.|
|>, >=||Greater than, greater than or equal to. Supported for numerical fields only.|
|<, <=||Less than, less than or equal to. Supported for numerical fields only.|
For example, the following query applies any permissions specified for the Host/managed resource type only to hosts in the group named host-editors.
hostgroup = host-editors
You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example:
As an administrator, you can allow selected users to make changes in a certain part of the environment path. The above filter allows to work with content while it is in the development stage of the application life cycle, but the content becomes inaccessible once is pushed to production.
Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field will not prevent the user from assigning a custom name to the newly created location.
You can limit user permissions to a certain organization or location with use of the permission filter. However, resource types provide a GUI alternative in form of Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. See Example 16.1, “Creating an Organization-specific Manager Role”.
Example 16.1. Creating an Organization-specific Manager Role
This example shows how to create a manager role restricted to a single organization named org-1.
- Navigate to Administer → Roles.
- Clone the existing Manager role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 Manager.
- Click Filters next to org-1 Manager to view the filters associated with the role. All filters are marked as unlimited.
- For each filter, click Edit.
- If the filter contains the Organizations tab, navigate to it. Otherwise it is a global setting that can not be limited.
- On the Organizations tab, select org-1. Click Submit.
- The restricted filters are no longer marked as unlimited. Users assigned with the org-1 Manager role can now perform management tasks only in the selected organization.