Red Hat Training

A Red Hat training course is available for Red Hat Satellite

Chapter 5. Managing Users and Roles

A User defines a set of details for individuals using the system. Users can be associated with organizations and environments, so that when they create new entities, the default settings are automatically used. Users can also have one or more roles attached, which grants them rights to view and manage organizations and environments. See Section 5.1, “Creating and Managing Users” for more information on working with users.

You can manage permissions of several users at once by organizing them into user groups. User groups themselves can be further grouped to create a hierarchy of permissions. See Section 5.2, “Creating and Managing User Groups” for more information on creating user groups.

Roles define a set of permissions and access levels. Each role contains one on more permission filters that specify the actions allowed for the role. Actions are grouped according to the Resource type. Once a role has been created, users and user groups can be associated with that role. This way, you can assign the same set of permissions to large groups of users. Red Hat Satellite provides a set of predefined roles and also enables creating custom roles and permission filters as described in Section 5.3, “Creating and Managing Roles”.

5.1. Creating and Managing Users

For the administrator, Red Hat Satellite provides the ability to create, modify, and remove users. Also, it is possible to configure access permissions through assigning roles to users.

5.1.1. Creating a User

The following steps show how to create a user:

To Create a User:

  1. Navigate to Administer > Users.
  2. Click Create User.
  3. In the Username field, enter the user name for this user to log in to the web UI.
  4. In the First name and Surname fields, enter the real first name and surname of the user.
  5. In the Email address field, enter the user’s email address.
  6. In the Description field, insert a description of the new user.
  7. Optionally, select a specific language for the user from the Language drop-down menu. The default is to attempt to use the language settings of the user’s browser.
  8. Optionally, select a specific time zone for the user from the Timezone drop-down menu. The default is to use the time zone settings of the user’s browser.

  9. Set a password for the user:

    • From the Authorized by drop-down menu, select the source by which the user is authenticated. You can select INTERNAL to enable the user to be managed inside Satellite Server, or configure an external authentication, such as LDAP or IdM as described in Chapter 11, Configuring External Authentication.
    • Enter an initial password for the user in the Password field and verify it in the Verify field.
  10. Click Submit to create the user.
  11. Select the user name to continue configuring the user.
  12. On the Email Preferences tab, select the Mail enabled check box to enable email notifications for the user. Depending on the roles assigned, notifications options can be configured here.
  13. On the Locations tab, select locations to be made accessible for this user. If you assign multiple locations to the user, you can select the default location for user login from the Default on login drop-down menu. Otherwise, when the user logs in, the location selection is set to Any Location.
  14. On the Organizations tab, select organizations to be made accessible to this user. If you assign multiple organizations to the user, you can select the default organization for user login from the Default on login drop-down menu. Otherwise, when the user logs in, the organization selection is set to Any Organization.
  15. On the Roles tab, select the required roles for this user.
  16. On the SSH Keys tab you can add SSH public keys but not until the user has been saved.
  17. Click Submit to save the changes.

5.1.2. Editing a User

The following steps show how to edit details of an existing user:

To Edit an Existing User:

  1. Navigate to Administer > Users.
  2. Click the user name of the user to be altered. General information about the user appears on the right.
  3. In the User tab, you can modify the user’s user name, first name, surname, email address, default location, default organization, language, and password.
  4. In the Locations tab, you can modify the user’s assigned locations.
  5. In the Organizations tab, you can modify the user’s assigned organizations.
  6. In the Roles tab, you can modify the user’s assigned roles.
  7. Click Save to save your changes.

5.1.3. Assigning Roles to a User

By default, a new user has no roles assigned. The following procedure describes how to assign one or more roles to a user. You can select from predefined roles, or define a custom role as described in Section 5.3.2, “Creating a Role”. You can apply a similar procedure to user groups.

To Assign a Role to a User:

  1. Navigate to Administer > Users. If a user account created is not listed, check that you are currently viewing the right organization. To list all users in Satellite, click Default Organization and then Any Organization. The organization view is changed to Any Context.
  2. Click the user name of the user that you want to modify. General information about the user appears on the right.
  3. Click the Locations tab, and select a location if none is assigned.
  4. Click the Organizations tab, and check that an organization is assigned.
  5. Click the Roles tab to display the list of available role assignments.
  6. Select role you want to assign to the user in the Roles list. The list contains the predefined roles, as well as any custom roles, see Table 5.1, “Predefined Roles Available in Red Hat Satellite”. Alternatively, select the Administrator check box to assign all available permissions to the selected user.
  7. Click Save.

To view the roles assigned to any user, click the Roles tab; the assigned roles are listed under Selected items. To remove a role, from the Selected items, click a role name and it is removed.

5.1.4. Adding SSH Keys to a User

The following steps show how to add public SSH keys to an existing user. This allows deployment of SSH keys during provisioning.

To deploy SSH keys during provisioning, see Deploying SSH Keys during Provisioning in the Red Hat Satellite Provisioning Guide.

For information on SSH keys and SSH key creation, see Generating Key Pairs in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

Note

Make sure that you are logged in to the web UI as an Admin user of Red Hat Satellite or a user with the create_ssh_key permission enabled.

To Add SSH Keys to a User:

  1. Prepare the content of the public SSH key in a clipboard.
  2. Navigate to Administer > Users.
  3. From the Username column, click on the username.
  4. Select the SSH Keys tab.
  5. Click Create SSH Key.
  6. In the Key field, paste the content of the public SSH key.
  7. In the Name field, enter a name for the SSH key.
  8. Click Submit. A confirmation notification is displayed if your key submission was successful.

5.1.5. Deleting SSH keys from a User

The following steps show how to delete public SSH keys from an existing user.

To Delete SSH Keys from a User:

  1. Log in to the Satellite web UI as Admin or as a user with the destroy_ssh_key permission enabled.
  2. Navigate to Administer > Users.
  3. Click on the username from the Username column.
  4. Select the SSH Keys tab.
  5. Click Delete on the row of the SSH key to be deleted.
  6. Click OK in the confirmation prompt. A confirmation appears to indicate the deletion was successful.

5.1.6. Configuring Email Notifications

Email notification is a per-user setting, with no email notifications enabled by default. If you want email notifications sent to a group’s email address, instead of an individual’s email address, create a user account with the group’s email address and minimal Satellite permissions, then subscribe the user account to the desired notification types.

Important

Satellite Server does not enable outgoing emails by default, therefore you must review your email configuration. For more information, see Configuring Satellite Server for Outgoing Emails in the Red Hat Satellite Installation Guide.

To Configure Email Notifications:

  1. Navigate to Administer > Users.
  2. Click the Username of the user you want to edit.
  3. On the User tab, check the Email address field. Ensure that it contains a valid email address. The address is associated with the user account, and the notifications selected in the following steps are sent there.
  4. Click the Email Preferences tab and select Mail enabled to enable email notifications.

  5. Select the notifications you want the user to receive.

    • Audit summary is a summary of all activity audited by the Satellite Server. To enable these notifications, select the frequency of emails from the drop-down list that offers Daily, Weekly, or Monthly updates. Enter a query in the associated query field to narrow the audit activity included.
    • Host built is a notification sent when a host is built. To enable these notifications, select Subscribe from the drop-down menu.
    • Host errata advisory is a summary of applicable and installable errata for hosts managed by the user. To enable these notifications, select the frequency of emails from the drop-down list that offers Daily, Weekly, or Monthly updates.
    • OpenSCAP policy summary is a summary of OpenSCAP policy reports and their results. To enable these notifications, select the frequency of emails from the drop-down list that offers Daily, Weekly, or Monthly updates.
    • Promote errata is a notification sent only after a Content View promotion. It contains a summary of errata applicable and installable to hosts registered to the promoted Content View. This allows you to monitor what updates have been applied to which hosts. To enable these notifications, select Subscribe from the drop-down menu.
    • Puppet error state is a notification sent after a host reports an error related to Puppet. To enable these notifications, select Subscribe from the drop-down menu.
    • Puppet summary is a summary of Puppet reports. To enable these notifications, select the frequency of emails from the drop-down list that offers Daily, Weekly, or Monthly updates.
    • Sync errata is a notification sent only after synchronizing a repository. It contains a summary of new errata introduced by the synchronization. To enable these notifications, select Subscribe from the drop-down menu.
  6. Click Submit.

Testing Email Delivery

To test email delivery to the email address associated with a user account, open the Satellite web UI, navigate to Administer > Users, click on the user name, click the Email Preferences tab and click Test email. A test email message is then sent immediately to the user’s email address. If it does not arrive, first verify the user’s email address, then the Satellite Server’s email configuration, after which you may need to examine firewall and mail server logs.

Testing Email Notifications

To verify that your subscription to selected email notifications is valid, you can have all periodic notifications sent to you on request. Note that this triggers all notifications scheduled for the specified frequency, and affect all users who have subscribed to it. Sending on request notifications to individual users is currently not supported.

To trigger the notifications, execute the following command on the Satellite Server: 

# foreman-rake reports:frequency

Where frequency stands for a specific time period:

  • daily
  • weekly
  • monthly

5.1.7. Removing a User

The following procedure describes how to remove an existing user.

To Remove a User:

  1. On the main menu, click Administer > Users to open the Users page.
  2. Click the Delete link to the right of the user name you want to delete.
  3. In the alert box, click OK to delete the user.

5.2. Creating and Managing User Groups

With Red Hat Satellite, you can assign permissions to groups of users. You can also create user groups as collections of other user groups. If using an external authentication source, you can map Satellite user groups to external user groups as described in Section 11.4, “Configuring External User Groups”.

User groups are defined in an organizational context, meaning that you must select an organization before you can access user groups.

5.2.1. Creating a User Group

The following procedure shows how to create a user group.

To Create a User Group:

  1. Navigate to Administer > User groups.
  2. Click Create User Group.

  3. On the User group tab, specify the name of the new user group and select group members:

    • Select the previously created user groups from the User Groups list.
    • Select users from the Users list.
  4. On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Administrator check box to assign all available permissions.
  5. Click Submit.

5.2.2. Removing a User Group

The following procedure shows how to remove an existing user group:

To Remove a User Group:

  1. Navigate to Administer > User groups.
  2. Click Delete to the right of the user group you want to delete.
  3. In the alert box that appears, click OK to delete a user group.

5.3. Creating and Managing Roles

Red Hat Satellite provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Table 5.1, “Predefined Roles Available in Red Hat Satellite”. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain Satellite plug-ins create roles automatically.

Table 5.1. Predefined Roles Available in Red Hat Satellite

RolePermissions Provided by Role [a].

Access Insights Admin

Add and edit Insights rules.

Access Insights Viewer

View Insight reports.

Boot disk access

Download the boot disk.

Compliance manager

View, create, edit, and destroy SCAP content files, compliance policies, and tailoring files. View compliance reports.

Compliance viewer

View compliance reports.

Create ARF report

Create compliance reports.

Default role

The set of permissions that every user is granted, irrespective of any other roles.

Discovery Manager

View, provision, edit, and destroy discovered hosts and manage discovery rules.

Discovery Reader

View hosts and discovery rules.

Edit hosts

View, create, edit, destroy, and build hosts.

Edit partition tables

View, create, edit and destroy partition tables.

Manager

A role similar to administrator, but does not have permissions to edit global settings. In the Satellite web UI, global settings can be found under Administer > Settings.

Organization admin

An administrator role defined per organization. The role has no visibility into resources in other organizations.

Red Hat Access Logs

View the log viewer and the logs.

Remote Execution Manager

A role with full remote execution permissions, including modifying job templates.

Remote Execution User

Run remote execution jobs.

Site manager

A restrained version of the Manager role.

Tasks manager

View and edit Satellite tasks.

Tasks reader

A role that can only view Satellite tasks.

Viewer

A passive role that provides the ability to view the configuration of every element of the Satellite structure, logs, reports, and statistics.

View hosts

A role that can only view hosts.

Virt-who Manager

A role with full virt-who permissions.

Virt-who Reporter

Upload reports generated by virt-who to Satellite. It can be used if you configure virt-who manually and require a user role that has limited virt-who permissions.

Virt-who Viewer

View virt-who configurations. Users with this role can deploy virt-who instances using existing virt-who configurations.

[a] The exact set of allowed actions associated with predefined roles can be viewed by the privileged user as described in Viewing Permissions of a Role

5.3.1. Example User Roles

Satellite Administrator
A top level administrator role with access control for all Satellite items, including managed systems and applications.
IT Operations Manager
A read-only role with permissions for viewing Satellite items.
License Management Owner
A task specific role with permissions for managing manifests and subscriptions, including permissions for viewing organizations and reports.
Quality Assurance
An environment and location specific role for testing in a dedicated testing environment but with limited access to items outside that environment.

Table 5.2. Example User Role Configurations

RoleResource TypePermissionsFilters

Satellite Administrator

Ensure the Administrator check box is selected for the user. For more information, see To Assign a Role to a User:.

predefined permission set

 

IT Operations Manager

Viewer

predefined permissions set

 

License Management Owner

Miscellaneous

access_dashboard
my_organizations
view_statistics

 

Products and Repositories

view_products

 

Subscription

view_subscriptions
attach_subscriptions
unattach_subscriptions
import_manifest
delete_manifest

 

Organization

view_organizations

 

Report

view_reports

 

Host

view_hosts

 

Quality Assurance

Organization

view_organizations

 

Environment

view_environments
create_environments
edit_environments
destroy_environments
import_environments

 

Miscellaneous

view_tasks
view_statistics
access_dashboard

 

Host class

edit_classes

 

Host Group

view_hostgroups
edit_hostgroups

 

Host

view_hosts
create_hosts
edit_hosts
destroy_hosts
build_hosts
power_hosts
console_hosts
ipmi_boot_hosts
puppetrun_hosts

 

Location

view_locations

 

Puppet class

view_puppetclasses

 

Capsule

view_smart_proxies
view_smart_proxies_autosign
view_smart_proxies_puppetca

 

Miscellaneous

my_organizations

 

Products and Repositories

view_products

 

Host class

edit_classes

 

Lifecycle Environment

view_lifecycle_environments
edit_lifecycle_environments
promote_or_remove_content_views_to_environments

name ~ QA

Content Views

view_content_views
create_content_views
edit_content_views
publish_content_views
promote_or_remove_content_views

name ~ ccv*

5.3.2. Creating a Role

The following steps show how to create a role.

To Create a Role:

  1. Navigate to Administer > Roles.
  2. Click New Role.
  3. Provide a Name for the role.
  4. Click Submit to save your new role.

To serve its purpose, a role must contain permissions. After creating a role, proceed to Section 5.3.3, “Adding Permissions to a Role”.

Note

Cloning an existing role is a time-saving method of role creation, especially if you want to create a new role that is a variation of an existing permission set. To clone a role, navigate to Administer > Roles and select Clone from the drop-down list to the right of the role to be copied. Select the name for the new role and alter the permissions as needed.

5.3.3. Adding Permissions to a Role

The following steps show how to add permissions to a role.

To Add Permissions to a Role:

  1. Navigate to Administer > Roles.
  2. Select Add Filter from the drop-down list to the right of the required role.
  3. Select the Resource type from the drop-down list. The (Miscellaneous) group gathers permissions that are not associated with any resource group.
  4. Click the permissions you want to select from the Permission list.
  5. Depending on the Resource type selected, you can select or deselect the Unlimited and Override check box. The Unlimited checkbox is selected by default, which means that the permission is applied on all resources of the selected type. When you disable the Unlimited check box, the Search field activates. In this field you can specify further filtering with use of the Red Hat Satellite 6 search syntax. See Section 5.4, “Granular Permission Filtering” for details. When you enable the Override check box, you can add additional locations and organizations to allow the role to access the resource type in the additional locations and organizations; you can also remove an already associated location and organization from the resource type to restrict access.
  6. Click Next.
  7. Click Submit to save changes.

5.3.4. Viewing Permissions of a Role

The following procedure shows how to view permissions assigned to an existing role.

To View Permissions Associated with a Role:

  1. Navigate to Administer > Roles.
  2. Click Filters to the right of the required role to get to the Filters page.

The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your Satellite system. See To Create a Complete Permission Table: for instructions.

To Create a Complete Permission Table:

  1. Ensure that the required packages are installed. Execute the following command on the Satellite Server: 

    # yum install tfm-rubygem-foreman*

  2. Start the Satellite console with the following command: 

    # foreman-rake console

    Insert the following code into the console: 

    f = File.open('/tmp/table.html', 'w')

result = Foreman::AccessControl.permissions {|a,b| a.security_block <=> b.security_block}.collect do |p|

      actions = p.actions.collect { |a| "<li>#{a}</li>" }
      "<tr><td>#{p.name}</td><td><ul>#{actions.join('')}</ul></td><td>#{p.resource_type}</td></tr>"
end.join("\n")

f.write(result)

    The above syntax creates a table of permissions and saves it to the /tmp/table.html file.

  3. Press Ctrl + D to exit the Satellite console. Insert the following text at the first line of /tmp/table.html: 

    <table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>

    Append the following text at the end of /tmp/table.html: 

    </table>
  4. Open /tmp/table.html in a web browser to view the table.

5.3.5. Removing a Role

The following steps show how to remove an existing role.

To Remove a Role:

  1. Navigate to Administer > Roles.
  2. Select Delete from the drop-down list to the right of the role to be deleted.
  3. In an alert box that appears, click OK to delete the role.

5.4. Granular Permission Filtering

As mentioned in Section 5.3.3, “Adding Permissions to a Role”, Red Hat Satellite provides the ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the Satellite database and are supported by the majority of resource types.

To create a granular filter, specify a query in the Search field on the Edit Filter page. Deselect the Unlimited check box for the field to be active. Queries have the following form: 

field_name operator value

Where:

  • field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.
  • operator specifies the type of comparison between field_name and value. See Table 5.3, “Supported Operators for Granular Search” for an overview of applicable operators.
  • value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.

For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, it is also possible to combine the queries by using the and and or operators.

For example, the following query applies any permissions specified for the Host resource type only to hosts in the group named host-editors. 

hostgroup = host-editors

The following query returns records where the name matches XXXX, Yyyy, or zzzz example strings: 

name ^ (XXXX, Yyyy, zzzz)

You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example: 

Dev

As an administrator, you can allow selected users to make changes in a certain part of the environment path. The above filter allows you to work with content while it is in the development stage of the application life cycle, but the content becomes inaccessible once is pushed to production.

Note

Satellite does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field does not prevent the user from assigning a custom name to the newly created location.

You can limit user permissions to a certain organization or location with the use of the granular permission filter in the Search field. However, some resource types provide a GUI alternative, an Override check box that provides the Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. See Example 5.1, “Creating an Organization-specific Manager Role”.

Example 5.1. Creating an Organization-specific Manager Role

This example shows how to create an administrative role restricted to a single organization named org-1.

  1. Navigate to Administer > Roles.
  2. Clone the existing Organization admin role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 admin.
  3. Click the desired locations and organizations to associate them with the role.
  4. Click Submit to create the role.
  5. Click org-1 admin, and click Filters to view all associated filters. The default filters work for most use cases. However, you can optionally click Edit to change the properties for each filter. For some filters, you can enable the Override option if you want the role to be able to access resources in additional locations and organizations. For example, by selecting the Domain resource type, the Override option, and then additional locations and organizations using the Locations and Organizations tabs, you allow this role to access domains in the additional locations and organizations that is not associated with this role. You can also click New filter to associate new filters with this role.