Chapter 7. Managing Users and Permissions

For the administrator, Red Hat Satellite provides the ability to create, modify, and remove users. Also, it is possible to configure access permissions through assigning roles to users. This section shows how to perform these tasks using hammer. For web UI equivalents of the following procedures see Users and Roles in the Red Hat Satellite Server Administration Guide.

7.1. Creating Users

User in Red Hat Satellite defines a set of details for individuals using the system. To configure a user in Red Hat Satellite, hammer provides the user create and user update commands. Create a new user with the following command:

$ hammer user create \
--login <user_name> \
--password <user_password> \
--mail <user_mail> \
--auth-source-id 1 \
--organization-ids <org_ID1>,<org_ID2>...

The --auth-source-id 1 setting means that the user is authenticated internally, you can specify an external authentication source as an alternative. Add the --admin option to grant administrator privileges to the user. Specifying organization IDs is not required, you can modify the user details later using the update subcommand.

For more information on user related subcommands see the output of hammer user --help.

7.2. Creating User Groups

You can manage permissions of several users at once by organizing them into user groups. User groups themselves can be further grouped to create a hierarchy of permissions. Use the following command to create a new user group:

$ hammer user-group create --name <usergroup_name>

To add a user to a user group, issue the following command:

$ hammer user-group add-user --user <user_name> --id <usergroup_id>

Find the user group ID by executing hammer user-group list. Similarly, you can add user groups using the add-user-group subcommand. For more information on operations related to user groups see the output of hammer user-group --help.

7.3. Creating Roles

Roles in Red Hat Satellite define a set of permissions and access levels. Satellite provides a number of predefined roles, to view them, enter the following command:

$ hammer role list

To view permissions associated with a role, issue the following command:

$ hammer role filters --id <role_id>

Here, <role_id> is the ID of the role from the output of hammer role list.

To create a custom role, issue the following command:

$ hammer role create --name <role_name>

Add a permission filter to the role with the following command:

$ hammer filter create \
--role <role_name> \
--permission-ids <perm_ID1>,<perm_ID2>...

Find the permissions to be added to the role by using hammer filter available-permissions. For details on roles and permissions see the output of hammer role --help and hammer filter --help.

Example 7.1. Granular Permission Filtering

Red Hat Satellite provides the ability to limit the configured user permissions to selected instances of a resource type. Use the --search option to limit permission filters, for example:

$ hammer filter create \
--permission-ids 91 \
--search "name ~ ccv*" \
--role qa-user

The above command adds to the qa-user role a permission to view, create, edit, and destroy Content Views that only applies to Content Views with name starting with ccv. See Granular Permission Filtering in the Satellite Server Administration Guide for more information.

7.4. Assigning Roles to Users

To assign a role to a user, issue the following command:

$ hammer user add-role --id <user_id> --role <role_name>

Similarly, you can assign a role to a user group:

$ hammer user-group add-role --id <usergroup_id> --role <role_name>