17.3. Creating and Managing Roles

Red Hat Satellite provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Table 17.1, “Predefined Roles Available in Red Hat Satellite”. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain Satellite plug-ins create roles automatically.

Table 17.1. Predefined Roles Available in Red Hat Satellite

RolePermissions Provided by Role[a]
Anonymous The set of permissions that every user is granted, irrespective of any other roles.
Discovery manager View, provision, edit, and destroy discovered hosts and manage discovery rules.
Discovery reader View hosts and discovery rules.
Boot disk access Download the boot disk.
Red Hat Access Logs View the log viewer and the logs.
Manager A most extensive set of permissions, the majority of actions from each resource type is enabled.
Edit partition tables View, create, edit and destroy partition tables.
View hosts View hosts.
Edit hosts View, create, edit, destroy, and build hosts.
Viewer A passive role that provides the ability to view the configuration of every element of the Satellite structure, logs, and statistics.
Site manager A restrained version of the Manager role.
Tasks manager View and edit Satellite tasks.
Tasks reader View Satellite tasks.
[a] The exact set of allowed actions associated with predefined roles can be viewed by the privileged user as described in Section 17.3.4, “Viewing Permissions of a Role”.

17.3.1. Creating a Role

The following steps show how to create a role.

Procedure 17.8. To Create a Role:

  1. Navigate to AdministerRoles.
  2. Click New Role.
  3. Provide a Name for the role.
  4. Click Submit to save your new role.
To serve its purpose, a role must contain permissions. After creating a role, proceed to Section 17.3.3, “Adding Permissions to a Role”.

17.3.2. Cloning a Role

Cloning an existing role is a time-saving method of role creation, especially if you want to create a new role that is a variation of an existing permission set. The following procedure explains how to clone a role.
  1. Navigate to AdministerRoles
  2. Select Clone from the drop-down list to the right of the role to be copied.
  3. Select the name for the new role and alter the permissions as needed.

17.3.3. Adding Permissions to a Role

The following steps show how to add permissions to a role.

Procedure 17.9. To Add Permissions to a Role:

  1. Navigate to AdministerRoles.
  2. Select Add Permission from the drop-down list to the right of the required role.
  3. Select the Resource type from the drop-down list.

    Note

    The (Miscellaneous) group gathers permissions that are not associated with any resource group.
  4. Click the permissions you want to select from the Permission list.
  5. Select whether the permission is Unlimited.
  6. To search for a particular role, use the Search field at the top of the list of roles. See Section 17.4, “Granular Permission Filtering” for the details of using filtering during these searches.
  7. Click Next.
  8. Click Submit to save changes.

17.3.4. Viewing Permissions of a Role

The following procedure shows how to view permissions assigned to an existing role.

Procedure 17.10. To View Permissions Associated with a Role:

  1. Navigate to AdministerRoles.
  2. Click Filters to the right of the required role to get to the Filters page.
The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your Satellite system. See Procedure 17.11, “To Create a Complete Permission Table:” for instructions.

17.3.5. Creating a Complete Permission Table

The following procedure explains how to generate a table of all the permissions available in your installation of Satellite. This procedure produces an exhaustive list of the permissions in the Satellite system, and is the best method of generating a reference of procedures for your installation of Satellite.

Procedure 17.11. To Create a Complete Permission Table:

  1. Ensure that the required packages are installed:
    # yum install ruby193-rubygem-foreman*
  2. Start the Satellite console with the following command:
    # foreman-rake console
  3. Insert the following code into the console:
    f = File.open('/tmp/table.html', 'w')
    
    result = Foreman::AccessControl.permissions.sort {|a,b| a.security_block <=> b.security_block}.collect do |p|
          actions = p.actions.collect { |a| "<li>#{a}</li>" }
          "<tr><td>#{p.name}</td><td><ul>#{actions.join('')}</ul></td><td>#{p.resource_type}</td></tr>"
    end.join("\n")
    
    f.write(result)
    The above syntax creates a table of permissions and saves it to the /tmp/table.html file.
  4. Press Ctrl+D to exit the Satellite console. Insert the following text at the first line of /tmp/table.html:
    <table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>
  5. Append the following text at the end of /tmp/table.html:
    </table>
  6. Open /tmp/table.html in a web browser to view the table.

17.3.6. Removing a Role

The following steps show how to remove an existing role.

Procedure 17.12. To Remove a Role:

  1. Navigate to AdministerRoles.
  2. Select Delete from the drop-down list to the right of the role to be deleted.
  3. In an alert box that appears, click OK to delete the role.