Red Hat Training

A Red Hat training course is available for Red Hat Satellite

4.3. Creating and Managing Roles

Red Hat Satellite provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Table 4.1, “Predefined Roles Available in Red Hat Satellite”. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain Satellite plug-ins create roles automatically.

Table 4.1. Predefined Roles Available in Red Hat Satellite

RolePermissions Provided by Role[a]
Anonymous The set of permissions that every user is granted, irrespective of any other roles.
Discovery manager View, provision, edit, and destroy discovered hosts and manage discovery rules.
Discovery reader View hosts and discovery rules.
Boot disk access Download the boot disk.
Red Hat Access Logs View the log viewer and the logs.
Manager A most extensive set of permissions, the majority of actions from each resource type is enabled.
Edit partition tables View, create, edit and destroy partition tables.
View hosts View hosts.
Edit hosts View, create, edit, destroy, and build hosts.
Viewer A passive role that provides the ability to view the configuration of every element of the Satellite structure, logs, and statistics.
Site manager A restrained version of the Manager role.
Tasks manager View and edit Satellite tasks.
Tasks reader View Satellite tasks.
[a] The exact set of allowed actions associated with predefined roles can be viewed by the privileged user as described in Section 4.3.3, “Viewing Permissions of a Role”.

4.3.1. Creating a Role

The following steps show how to create a role.

Procedure 4.7. To Create a Role:

  1. Navigate to AdministerRoles.
  2. Click New Role.
  3. Provide a Name for the role.
  4. Click Submit to save your new role.
To serve its purpose, a role must contain permissions. After creating a role, proceed to Section 4.3.2, “Adding Permissions to a Role”.


Cloning an existing role is a time-saving method of role creation, especially if you want to create a new role that is a variation of an existing permission set. To clone a role, navigate to AdministerRoles and select Clone from the drop-down list to the right of the role to be copied. Select the name for the new role and alter the permissions as needed.

4.3.2. Adding Permissions to a Role

The following steps show how to add permissions to a role.

Procedure 4.8. To Add Permissions to a Role:

  1. Navigate to AdministerRoles.
  2. Select Add Filter from the drop-down list to the right of the required role.
  3. Select the Resource type from the drop-down list. The (Miscellaneous) group gathers permissions that are not associated with any resource group.
  4. Click the permissions you want to select from the Permission list.
  5. Select whether the permission is Unlimited. This option is selected by default, which means that the permission is applied on all resources of the selected type. When you disable the Unlimited check box, the Search field activates. In this field you can specify further filtering with use of the Red Hat Satellite 6 search syntax. See Section 4.4, “Granular Permission Filtering” for details.
  6. Click Next.
  7. Click Submit to save changes.

4.3.3. Viewing Permissions of a Role

The following procedure shows how to view permissions assigned to an existing role.

Procedure 4.9. To View Permissions Associated with a Role:

  1. Navigate to AdministerRoles.
  2. Click Filters to the right of the required role to get to the Filters page.
The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your Satellite system. See Procedure 4.10, “To Create a Complete Permission Table:” for instructions.

Procedure 4.10. To Create a Complete Permission Table:

  1. Ensure that the required packages are installed. Execute the following command on the Satellite Server:
    # yum install tfm-rubygem-foreman*
  2. Start the Satellite console with the following command:
    # foreman-rake console
    Insert the following code into the console:
    f ='/tmp/table.html', 'w')
    result = Foreman::AccessControl.permissions.sort {|a,b| a.security_block <=> b.security_block}.collect do |p|
          actions = p.actions.collect { |a| "<li>#{a}</li>" }
    The above syntax creates a table of permissions and saves it to the /tmp/table.html file.
  3. Press Ctrl+D to exit the Satellite console. Insert the following text at the first line of /tmp/table.html:
    <table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>
    Append the following text at the end of /tmp/table.html:
  4. Open /tmp/table.html in a web browser to view the table.

4.3.4. Removing a Role

The following steps show how to remove an existing role.

Procedure 4.11. To Remove a Role:

  1. Navigate to AdministerRoles.
  2. Select Delete from the drop-down list to the right of the role to be deleted.
  3. In an alert box that appears, click OK to delete the role.