2 Setting Up Permissions for Organizations, Teams, and Users

This chapter describes how Oracle Linux Automation Manager enables administrators to create organizations, teams, and users where permissions can be allocated at each level. These permissions are based on role-based access controls.

Note:

You can integrate the Oracle Linux Automation Manager access levels discussed in this chapter with external identity management services, such as LDAP. Note that LDAP user account information does not appear in Oracle Linux Automation Manager until after the LDAP user account first logs in to Oracle Linux Automation Manager. See Oracle Linux Automation Manager 2: Administrator's Guide for more information about LDAP authentication and mappings for users, teams, and organizations.

Each level has the following functions:

• Organizations: Administrators can specify which organizations can run a playbook on what inventory by associating an organization to a project and an inventory. An organization can specify multiple projects and inventories, but each project and inventory can specify only one organization.

• Teams: A team belongs to one organization and a team can specify default permissions that apply to any user assigned to the team.

• Users: A user can belong to one or more organizations or teams. Administrators can create the following types of users:

  • System Administrator

    By default, a system administrator has system-wide administrator privileges.

  • System Auditor

    By default, a system auditor has read-only access for auditing purposes.

  • Normal User

    By default, a normal user has limited privileges. However, a normal user can be assigned high-privilege roles, such as Admin, or Project Admin, for a specific resource type.

    For example, you might create a normal user called Payroll_Engineer and assign that user with an Admin system role to organization resource types called Payroll_Organization and Finance_Organization. In addition, you might also add the Payroll_Engineer user with an Admin system role to a team resource type called Payroll_Team.

    Thus, a user may have different permissions depending on which resource type they are working with.

  Note:

  • For purposes of security, Oracle recommends following the principle of least privilege when setting up user access.
  • For the purpose of illustration, in this book we request you follow the examples with a system administrator account, as this allows the examples to cover the features available in Oracle Linux Automation Manager.

  The following table describes the different roles available within each resource in Oracle Linux Automation Manager.

  Table 2-1 Role-Based Access Control Role Descriptions

  Resource Type	System Role	Description
  Job Templates	Admin	Manages all aspects of the job template.
  	Executive	Runs the job template.
  	Read	Views settings for the job template.
  Workflow Job Templates	Admin	Manages all aspects of the workflow job template.
  	Executive	Runs the workflow job template.
  	Read	Views settings for the workflow job template.
  	Approve	Can approve or deny a workflow approval node.
  Credentials	Admin	Manages all aspects of the Credential.
  	Use	Use the credential in a job template.
  	Read	Views settings for the credential.
  Inventories	Admin	Manages all aspects of the inventory.
  	Update	Updates the inventory.
  	Ad Hoc	Runs ad hoc commands on the inventory.
  	Use	Use the inventory in a job template.
  	Read	Views settings for the inventory.
  Projects	Admin	Manages all aspects of the project.
  	Update	Updates the project.
  	Use	Use the project in a job template.
  	Read	Views settings for the project.
  Organizations	Admin	Manages all aspects of the organization.
  	Executive	Runs the executable resources in the organization.
  	Project Admin	Manages all projects in the organization.
  	Inventory Admin	Manages all inventories in the organization.
  	Credential Admin	Manages all credentials in the organization.
  	Workflow Admin	Manages all workflows in the organization.
  	Notification Admin	Manages all notifications in the organization.
  	Job Template Admin	Manages all job templates in the organization.
  	Execution Environment Admin	Manages all execution environments in the organization.
  	Auditor	Views all aspects of the organization
  	Member	Makes user a member of the organization.
  	Read	Views all organization settings.
  	Approve	Approves or denies a workflow approval node.

Setting Up Organizations

The Oracle Linux Automation Manager setup requires that you set up at least one Organization resource.

To setup an organization, do the following:

1. Log in to Oracle Linux Automation Manager with an administrator user account.

2. Display the left navigation menu if it is not already visible by toggling the Global navigation menu button in the top-left corner of the page.

3. From the Access section, click Organizations.

   The Organizations page appears.

4. Click the Add button.

   The Create New Organization page appears.

5. In the Name field, enter a name for your organization. For example, Organization 1.

6. From the Instance Groups list, select an instance group for the Organization to run playbooks on.
7. From the Galaxy Credentials list, select a credential for https://galaxy.ansible.com/ or Private Automation Hub, or both for accessing collections when running playbooks. When selecting more than one credential, Oracle Linux Automation Manager checks each server in the order in which the credentials are added to the Organization.

8. Click Save.

   The newly created organization is displayed in the Details tab.

9. Click the Access tab.

10. Click the Add button.

    The Add Roles dialog appears.

11. Select the Users option.

12. Click Next.

13. Select the check box next to the user accounts you want to add to the organization.

14. Click Next.

15. Select the check box next to the roles you want to assign to the users you have selected.

16. Click Save.

Setting Up Teams

To setup a team, do the following:

1. Log into Oracle Linux Automation Manager with an administrator user account.

2. Display the left navigation menu if it is not already visible by toggling the Global navigation menu button in the top-left corner of the page.

3. From the Access section, click Teams.

   The Teams page appears.

4. Click the Add button.

   The Create New Team page appears.

5. In the Name field, enter a name for your team. For example, Team 1.

6. In the Organization field, click the search button.

   The Select Organization dialog appears.

7. From the Organization list, select an organization.

8. Click Select.

9. Click Save.

   The newly created team is displayed in the Details tab.

10. Click the Access tab.

11. Click the Add button.

    The Add Roles dialog appears.

12. Select the Users option.

13. Click Next.

14. Select the check box next to the user accounts you want to add to the team.

15. Click Next.

16. Select the check box next to the roles you want to assign to the users you have selected.

17. Click Save.

Setting Up Users

To setup a user, do the following:

1. Log into Oracle Linux Automation Manager with an administrator user account.

2. Display the left navigation menu if it is not already visible by toggling the Global navigation menu button in the top-left corner of the page.

3. From the Access section, click Users.

   The Users page appears.

4. Click the Add button.

   The Create New User page appears.

5. Optionally, complete the First Name, Last Name and Email fields.

6. In the UserName field, enter a user name for your user. For example, User1.

7. In the Password field, enter a password.

8. In the Confirm Password field, reenter the password.

9. From the User Type, select one of the following user types:

   • Normal User: You can limit users read and write access to the resources (such as inventory, projects, and so on) based on roles and privileges.

   • System Auditor: You can limit users to read-only permissions for all objects within Oracle Linux Automation Manager.

   • System Administrator: You can allow full system administration privileges (full read and write) for all objects within Oracle Linux Automation Manager.

10. In the Organization field, click the search button.

    The Select Organization dialog appears.

11. From the organization list, select an organization.

12. Click Select.

13. Click Save.

    The newly created organization is displayed in the Details tab.

14. Click the Organizations button.

    All organizations that the user is part of appear in the list. This is a read-only page.

15. Click the Teams tab.

16. Click the Associate button.

    The Select Teams page appears.

17. Select the check box next to the user teams you want to associate with the user.

18. Click the Save.

19. Click the Roles tab.

20. Click the Add button.

    The Add User Permissions dialog displays.

21. Select one of the following resource types:

    • Job Templates

    • Workflow job templates

    • Credentials

    • Inventories

    • Projects

    • Organizations

22. Click Next.

    The available options of the resource type you have selected are displayed. For example, if you have selected Job templates, then all available job templates appear.

23. Select the check box next to each resource item you want to add to the user.

24. Click Next.

    The available roles you can apply to the resources you have selected are displayed.

25. Select the check box next to each role you want to apply to the resources you have selected.

    Note:

    The roles you opt to apply are applied to all the resources you have selected.

    For more information about available roles by resource type, see Setting Up Permissions for Organizations, Teams, and Users

26. Click Save.