4.4. Granular Permission Filtering

As mentioned in Section 4.3.2, “Adding Permissions to a Role”, Red Hat Satellite provides the ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the Satellite database and are supported by the majority of resource types.
To create a granular filter, specify a query in the Search field on the Edit Filter page. Deselect the Unlimited check box for the field to be active. Queries have the following form:
field_name operator value
  • field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.
  • operator specifies the type of comparison between field_name and value. See Table 4.2, “Supported Operators for Granular Search” for an overview of applicable operators.
  • value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.
For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, it is also possible to combine the queries by using the and and or operators.
For example, the following query applies any permissions specified for the Host resource type only to hosts in the group named host-editors.
hostgroup = host-editors
You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example:
As an administrator, you can allow selected users to make changes in a certain part of the environment path. The above filter allows you to work with content while it is in the development stage of the application life cycle, but the content becomes inaccessible once is pushed to production.


Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field will not prevent the user from assigning a custom name to the newly created location.
You can limit user permissions to a certain organization or location with use of the permission filter. However, resource types provide a GUI alternative in form of Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. See Example 4.1, “Creating an Organization-specific Manager Role”.

Example 4.1. Creating an Organization-specific Manager Role

This example shows how to create a manager role restricted to a single organization named org-1.
  1. Navigate to AdministerRoles.
  2. Clone the existing Manager role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 Manager.
  3. Click Filters next to org-1 Manager to view the filters associated with the role. All filters are marked as unlimited.
  4. For each filter, click Edit.
  5. If the filter contains the Organizations tab, navigate to it. Otherwise it is a global setting that cannot be limited.
  6. On the Organizations tab, select org-1. Click Submit.
  7. The restricted filters are no longer marked as unlimited. Users assigned with the org-1 Manager role can now perform management tasks only in the selected organization.