Managing user access in Private Automation Hub

Red Hat Ansible Automation Platform 2.4

Define user access for private automation hub

Red Hat Customer Content Services

Abstract

This guide provides instructions to create groups for your automation hub users, provide them with appropriate system permissions, or allow view-only access to unauthorized users.

Preface

Configure user access in Automation Hub to provide the appropriate level of system permissions to groups in your organization, or provide view-only access to unauthorized users.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Providing feedback on Red Hat documentation

We appreciate your feedback on our technical content and encourage you to tell us what you think. If you’d like to add comments, provide insights, correct a typo, or even ask a question, you can do so directly in the documentation.

Note

You must have a Red Hat account and be logged in to the customer portal.

To submit documentation feedback from the customer portal, do the following:

  1. Select the Multi-page HTML format.
  2. Click the Feedback button at the top-right of the document.
  3. Highlight the section of text where you want to provide feedback.
  4. Click the Add Feedback dialog next to your highlighted text.
  5. Enter your feedback in the text box on the right of the page and then click Submit.

We automatically create a tracking issue each time you submit feedback. Open the link that is displayed after you click Submit and start watching the issue or add more comments.

Chapter 1. Configuring user access for your local Automation Hub

1.1. About user access

You can manage user access to content and features in Automation Hub by creating groups of users that have specific permissions.

1.1.1. How to implement user access

User access is based on managing permissions to system objects (users, groups, namespaces) rather than by assigning permissions individually to specific users.

You assign permissions to the groups you create. You can then assign users to these groups. This means that each user in a group has the permissions assigned to that group.

Groups created in Automation Hub can range from system administrators responsible for governing internal collections, configuring user access, and repository management to groups with access to organize and upload internally developed content to Automation Hub.

1.1.2. Default user access

When you install Automation hub, the default admin user is created in the Admin group. This group is assigned all permissions in the system.

1.1.3. Getting started

Log in to your local Automation Hub using credentials for the admin user configured during installation.

The following sections describe the workflows associated with organizing your users who will access Automation Hub and providing them with required permissions to reach their goals. See the permissions reference table for a full list and description of all permissions available.

1.2. Creating a new group

You can create and assign permissions to a group in automation hub that enables users to access specified features in the system. By default, there is an admins group in automation hub that has all permissions assigned and is available on initial login with credentials created when installing automation hub.

Prerequisites

  • You have groups permissions and can create and manage group configuration and access in automation hub.

Procedure

  1. Log in to your local automation hub.
  2. Navigate to User AccessGroups.
  3. Click Create.
  4. Provide a Name and click Create.

You can now assign permissions and add users on the group edit page.

1.3. Assigning permissions to groups

You can assign permissions to groups in automation hub that enable users to access specific features in the system. By default, new groups do not have any assigned permissions. You can add permissions upon initial group creation or edit an existing group to add or remove permissions

Prerequisites

  • You have Change group permissions and can edit group permissions in automation hub.

Procedure

  1. Log in to your local automation hub.
  2. Navigate to User AccessRoles.
  3. Click Add roles.
  4. Click in the name field and fill in the role name.
  5. Click in the description field and fill in the description.
  6. Complete the Permissions section.
  7. Click in the field for each permission type and select permissions that appear in the list.
  8. Click Save when finished assigning permissions.
  9. Navigate to User AccessGroups.
  10. Click on a group name.
  11. Click on the Access tab.
  12. Click Add roles.
  13. Select the role created in step 8.
  14. Click Next to confirm the selected role.
  15. Click Add to complete adding the role.

The group can now access features in automation hub associated with their assigned permissions.

1.4. Creating a new user

You can create a user in Automation Hub and add them to groups that can access features in the system associated by the level of assigned permissions.

Prerequisites

  • You have user permissions and can create users in Automation Hub.

Procedure

  1. Log in to your local Automation Hub.
  2. Navigate to User Access.
  3. Click Create user.
  4. Provide information in each of the fields. Username and Password are required.
  5. [Optional] Assign the user to a group by clicking in the Groups field and selecting from the list of groups.
  6. Click Save.

The new user will now appear in the list on the Users page.

1.5. Creating a super user

You can create a super user in automation hub and spread administration work across your team.

Prerequisites

  • You have Super user permissions and can create users in automation hub.

Procedure

  1. Log in to your local automation hub.
  2. Navigate to User Access.
  3. Click Users.
  4. Select the user you want to be a super user to see the User details page.
  5. Select Super User under User type.

The user now has Super user permissions.

1.6. Adding users to groups

You can add users to groups when creating a group or manually add users to existing groups. This section describes how to add users to an existing group.

Prerequisites

  • You have groups permissions and can create and manage group configuration and access in automation hub.

Procedure

  1. Log in to automation hub.
  2. Navigate to User AccessGroups.
  3. Click on a Group name.
  4. Navigate to the Users tab, then click Add.
  5. Select users to add from the list and click Add.

You have added the users you selected to the group. These users now have permissions to use automation hub assigned to the group.

1.7. Creating a new group for content curators

You can create a new group in automation hub designed to support content curation in your organization that contributes internally developed collections for publication in automation hub.

This section shows you how to create a new group and assign the required permissions to help content developers create namespaces and upload their collections to automation hub.

Prerequisites

  • You have administrative permissions in automation hub and create groups.

Procedure

  1. Log in to your local automation hub.
  2. Navigate to User AccessGroups and click Create.
  3. Enter Content Engineering as a Name for the group in the modal and click Create. You have created the new group and the Groups page appears.
  4. On the Permissions tab, click Edit.
  5. Under Namespaces, add permissions for Add Namespace, Upload to Namespace and Change Namespace.

  6. Click Save.

    The new group is created with the permissions you assigned. You can then add users to the group.

  7. Click the Users tab on the Groups page.
  8. Click Add.
  9. Select users from the modal and click Add.

Conclusion

You now have a new group who can use automation hub to:

  • Create a namespace.
  • Edit the namespace details and resources page.
  • Upload internally developed collections to the namespace.

1.8. Automation Hub permissions

Permissions provide a defined set of actions each group performs on a given object. Determine the required level of access for your groups based on the following permissions:

Table 1.1. Permissions Reference Table

ObjectPermissionDescription

collection namespaces

Add namespace

Upload to namespace

Change namespace

Delete namespace

Groups with these permissions can create, upload collections, or delete a namespace.

collections

Modify Ansible repo content

Delete collections

Groups with this permission can move content between repositories using the Approval feature, certify or reject features to move content from the staging to published or rejected repositories, abd delete collections.

users

View user

Delete user

Add user

Change user

Groups with these permissions can manage user configuration and access in automation hub.

groups

View group

Delete group

Add group

Change group

Groups with these permissions can manage group configuration and access in automation hub.

collection remotes

Change collection remote

View collection remote

Groups with these permissions can configure remote repository by navigating to CollectionsRepo Management.

containers

Change container namespace permissions

Change containers

Change image tags

Create new containers

Push to existing containers

Delete container repository

Groups with these permissions can manage container repositories in automation hub.

remote registries

Add remote registry

Change remote registry

Delete remote registry

Groups with these permissions can add, change, or delete remote registries added to automation hub.

task management

Change task

Delete task

View all tasks

Groups with these permissions can manage tasks added to Task Management in automation hub.

1.9. Deleting a user from automation hub

When you delete a user account, the name and email of the user are permanently removed from automation hub.

Prerequisites

  • You have user permissions in automation hub.

Procedure

  1. Log in to automation hub.
  2. Navigate to User Access.
  3. Click Users to display a list of the current users.
  4. Click the More Actions icon icon beside the user that you want to remove, then click Delete.
  5. Click Delete in the warning message to permanently delete the user.

Chapter 2. Enabling view-only access for your private automation hub

By enabling view-only access, you can grant access for users to view collections or namespaces on your private automation hub without the need for them to log in. View-only access allows you to share content with unauthorized users while restricting their ability to only view or download source code, without permissions to edit anything on your private automation hub.

Enable view-only access for your private automation hub by editing the inventory file found on your Red Hat Ansible Automation Platform installer.

  • If you are installing a new instance of Ansible Automation Platform, follow these steps to add the automationhub_enable_unauthenticated_collection_access and automationhub_enable_unauthenticated_collection_download parameters to your inventory file along with your other installation configurations:
  • If you are updating an existing Ansible Automation Platform installation to include view-only access, add the automationhub_enable_unauthenticated_collection_access and automationhub_enable_unauthenticated_collection_download parameters to your inventory file then run the setup.sh script to apply the updates:

Procedure

  1. Navigate to the installer.

    Bundled installer
    $ cd ansible-automation-platform-setup-bundle-<latest-version>
    Online installer
    $ cd ansible-automation-platform-setup-<latest-version>
  2. Open the inventory file with a text editor.

  3. Add the automationhub_enable_unauthenticated_collection_access and automationhub_enable_unauthenticated_collection_download parameters to the inventory file and set both to True, following the example below: 

    [all:vars]

automationhub_enable_unauthenticated_collection_access = True 1
automationhub_enable_unauthenticated_collection_download = True 2
    1
    Allows unauthorized users to view collections
    2
    Allows unathorized users to download collections
  4. Run the setup.sh script. The installer will now enable view-only access to your automation hub.

Verification

Once the installation completes, you can verify that you have view-only access on your private automation hub by attempting to view content on your automation hub without logging in.

  1. Navigate to your private automation hub.
  2. On the login screen, click View only mode.

Verify that you are able to view content on your automation hub, such as namespaces or collections, without having to log in.

Legal Notice

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.