For Red Hat customers using Satellite 5 and its "System Groups" & "System Group Administrator" functionality, only specified users are allowed to manage certain groups of systems (system groups).
With Satellite 6's role-based access, however, the "System Group Administrator" role does not exist. Often, customers wish to replicate the system-group functionality they have in Satellite 5 when they transition to Satellite 6.
This document is attempted to address this. Note that, it's not a complete perfect role setup due to the complexity of permissions, resources, and their relationship within Satellite 6, but it works well for the purpose of limiting management access of a group of users on a group of systems.
Prerequisites
- A working LDAP Authentication with Active Directory has been setup.
- Well defined users and groups in AD. In our example, let's use Starfleet divisions (Starfleet division) for grouping. There are 3 groups: Command, Operations and Sciences.
Procedure
Step 1: Host Collections
- Create the needed Host Collections (i.e.: System Group in Satellite 5) and populate them with desired systems.
- For simplicity and as an example, Host Collection would be grouped like AD User Groups and prefixed with "hc-". They are hc-command, hc-operations and hc-sciences.
Step 2: Roles and Filters
- Create the needed Roles and their associated Filters.
- This is the most important step and the main step that set up the permissions.
- For simplicity and as an example Role would be grouped like AD User Groups and prefixed with "role-". They are role-command, role-operations and role-sciences.
- Adjust to your preference accordingly what permissions should the role have or can see. The above is a good working example.
- Brief Resource and Permissions explanations:
- Organization (view_organizations): Must have, since it seems all/most resources are under an organization, view permission is needed or else many things don't work.
- (Miscellaneous), Bookmark, Config report, Report: This mostly allow the role to be able to view various status and report, as a nice thing to have.
- Satellite tasks/task (view_foreman_tasks): This allow the role to see its kicked off tasks, with a limit on only seeing the current_user's tasks by using a search filter.
- Content Host, Host, Host Collections: These are the important permissions that allow the role to perform actions on the systems that it's allowed to manage. Note that not only there are view permissions, the edit permissions are needed on these resources to allow performing actions. Also, these permissions are limited by a search filter via host_collection parameter. For role-command, the host_collection parameter would be limited by hc-command created before. Thus, effectively allowing only the systems in Host Collection hc-command to be managed by Role role-command.
- Job invocation, Job template, Template invocation: These permissions allow the role to kick off jobs on systems with built-in/custom job templates.
Step 3: User Groups
- Create the needed internal User Groups.
- The important matters are to associate it with a preferred role and link it to the desired external group.
- For simplicity and as an example User Group would be grouped like AD User Groups and prefixed with "ug-". They are ug-command, ug-operations and ug-sciences.
- For ug-command, role-command is associated with it. Thus, effectively User Group ug-command would have the permissions of Role role-command.
- For ug-command, external group Command from AD is linked to it.
- Thus, when any member of the AD group Command log into Satellite, it would belong to this User Group, and its user account will be created automatically. Based on the fact that this User Group is associated with role-command, then the user would inherit the permissions of role-command.
Thus, effectively, using a role with a limited search filter on a specific host collection would achieve "System Group Administrator" function like in Satellite 5.
Connect with Red Hat Services
Learn more about Red Hat Training
Learn more about Red Hat Certification
Subscribe to the Training Newsletter
Follow Red Hat Services on Twitter
Follow Red Hat Open Innovation Labs on Twitter
Like Red Hat Services on Facebook
Watch Red Hat Training videos on YouTube
Follow Red Hat Certified Professionals on LinkedIn
저자 소개
채널별 검색
오토메이션
기술, 팀, 환경을 포괄하는 자동화 플랫폼에 대한 최신 정보
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
클라우드 서비스
관리형 클라우드 서비스 포트폴리오에 대해 더 보기
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.