订阅内容

Have you ever wished you could better organize the inventory and define who can access what systems when using Insights? Inventory Groups is a new feature in Red Hat Insights that allows administrators to organize systems by groups and define which users can access them.

Key concepts of Inventory Groups

  • Using inventory groups is not mandatory, therefore your systems can remain ungrouped in the inventory.
  • A system can only be part of 1 inventory group.
  • A group can be used solely to group systems together to better organize the inventory, or in combination with Identity & Access Management (RBAC) to restrict user access.

Why use Inventory Groups

  • Filtering and managing your system inventory across applications
  • Allowing or restricting access to groups of systems for specific users

How to use Inventory Groups to restrict user access on systems

Overall steps

Restricting user access with inventory groups consist of the following:

  • Create and populate an inventory group
  • Create or modify a custom user role
  • Create or modify a custom user group
  • Override the built-in Default access group

Our scenario

In the example below, we will walk you through how you can leverage the Inventory Groups feature to restrict user access on a specific subset of systems. In this Scenario we have two teams who manage infrastructure all rolled into the same organization:

  • Team A
  • Team B

Each of these teams manage infrastructure within their own groups within their company and do not have access to each other’s infrastructure. Due to this, it is important that their management tooling provides a similar level of controls to comply with their internal processes.

For the sake of simplicity, we are assuming that the configuration for Team A was already taken care of, so will focus on the steps required for restricting access to systems belonging to Team B:

  • None of the users of Team B are Org Admin within Red Hat Insights.
  • We will grant users of Team B with read and write access to the specific systems they are responsible for.
  • After the changes, users of Team B will only be able to see and apply changes to systems they owned and will not be able to see other systems of the inventory.
  • By design, Org Admin users will always be able to access all the systems and all inventory groups.

Create the inventory group

1. Navigate to the Inventory section of Red Hat Insights and click on the Groups section

2. Create a new inventory group by clicking on the blue Create group button

3. In our scenario, we will name the inventory group IG - Team B

Insights screenshot to create group

4. Assign the proper systems to the inventory group

After the creation of the group, click on the group itself to bring its details

Insights screenshot to select group

Click on the Add systems button

Select the systems to be added to the inventory group, you may use a filtering query, and then click on Add systems to complete the operation. 

Insights screenshot to select systems

At this point we have just created and populated the inventory group for Team B. So in addition to the group for Team A, the inventory should look like this:

Insights screenshot to view inventory groups

With these inventory groups, it’s now possible to navigate within Insights and use the filtering options to show systems from specific inventory groups.

Validate our configuration

Now that our inventory groups are created and systems are assigned, we can validate the configuration in the Inventory. Each system displays the group it is assigned to in the Inventory view. The Group filter can be used to filter the Inventory to display systems belonging to a specific inventory group(s).

Insights screenshot showing a filtered view of the Inventory for a specific inventory group

The Group filter can be used in other applications displaying system inventory. For example Advisor > Systems, Patch > SystemsVulnerabilities > SystemsCompliance > Systems and Malware > Systems all offer the Group filtering capability.

Configure the user access

Now that we have taken care of the inventory aspect, the next steps need to be done in the Identity & Access Management section of Red Hat Insights.

The Identity & Access Management section can be accessed by clicking on the cogwheel located on the upper right of Red Hat Insights. 

Insights screenshot to navigate to Identity & Access Management

Create and configure new custom role

A custom user role is actually where the permissions on the inventory group object will be defined

1. Click on the Roles section

Insights screenshot to navigate to User Access > Roles

2. In the Roles section, click on Create role

 Insights screenshot of Create role button

3. Follow the role creation wizard to populate with the following

Role name and description

  • Role name: UR - Team B
  • Role description: User Role - Team B
Insights screenshot to create role

Add permissions

Use the Application filter to only see the inventory permissions

Insights screenshot to filter permissions for role

In our scenario, we want to grant complete access to both the inventory group object itself and the systems inside it, so we are selecting the 4 following permissions:

  • inventory:hosts:read
  • inventory:hosts:write
  • inventory:groups:read
  • inventory:groups:write
Insights screenshot select permissions for role

More details on the permissions can be found in the Viewing and managing system inventory documentation

Define inventory group access
For each of the permission added previously, define which inventory group it should be applied to. In our case, all permissions will be applied to IG - Team B

Insights screenshot to define inventory group access for role

Review details

The configuration of the custom role UR - Team B will look like the following:

Insights screenshot to review and submit the role for creation

Click on the Submit button to complete the creation of the role

Create and configure a new user group

user role cannot be assigned directly to a user, it has to be added to a user group first, and then specific user(s) can be added to this user group

1. Click on the Groups section of User Access

Insights screenshot to navigate to User Access > Groups

2. In the Groups section, click on Create group

Insights screenshot of Create group button

3. Follow the group creation wizard to populate with the following

Group name and description

  • Group name: UG - Team B
  • Group description: User Group - Team B
Insights screenshot to create group

Add roles

  • Use a filtering query to search for the previously created role: UR - Team B
  • Then select the role and click Next
Insights screenshot to add roles to group

Add members

  • This is where you finally select which user(s) will inherit the permission defined in the user role and granted via the current user group
Insights screenshot to add members to group

Note:  Only non-Org Admin users are selected. While it causes no harm to add Org Admin users to this user group, it is not necessary since they will have access regardless.

Review details

  • The configuration of the new user group will look like the following
Insights screenshot to review and submit the group for creation

Click on the Submit button to complete the creation of the user group

Override the Default access user group

By default, all users inherit permissions to the entire inventory via the Inventory Hosts Administrator role granted via the Default access user group.

At this point, we need to override the Default access user group to remove the Inventory Hosts Administrator role from all users. This change will have no effect on the Org Admin users as they inherit Default admin access which includes Inventory Hosts Administrator role.

1. Click on the Groups section of User Access

Insights screenshot to navigate to User Access > Groups

2. Click on the Default access user group to bring its details 

Insights screenshot to select User Access Group

3. Remove the Inventory Hosts Administrator role from the group

Insights screenshot to remove a Role from a Group Insights screenshot warning the user when removing a Role from a Group

4. Editing the Default access group will automatically change its name to Custom default access.

  • Click on Continue to complete the change
Insights screenshot warning the user that Default access becomes Custom default access once modified
  • Once all the changes are completed, the users of Team B will only have access to their systems.
  • Because we removed the inventory permissions granted to everyone via the Default access user group, users who are not part of Team B will not be able to see any systems.
  • Org Admin users will maintain the access to all systems.

Conclusion

With Inventory groups, you will be able to quickly and efficiently organize your inventory of systems into different groups. The defined groups can be used as filters in the inventory itself, and in all other applications providing a list of systems. Going further, Inventory groups can be used to allow and restrict access to specific users. This is achieved using Role Based Access Control (RBAC) and associating Inventory groups to permissions for a given Role.

Learn more

  • Get an overview: Episode 10 of the Modernizing RHEL Management livestream series focuses on inventory groups.
  • Watch a demo: Red Hat Insights Inventory Groups feature to group systems and use with Role Based Access Control (RBAC) is described in this walk-through video.
  • Read the product documentation: For more details, additional scenarios, and limitations, check out the docs.

关于作者

Christian Marineau is a Senior Product Manager for Red Hat Insights. He joined Red Hat in 2016 with a professional background of 12 years in system administration and DevOps for complex environments. He is currently focusing on the Red Hat Insights Remediation service and client tools for Red Hat Enterprise Linux. In his spare time, he enjoys the company of dogs, playing hockey and skiing.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

按频道浏览

automation icon

自动化

有关技术、团队和环境 IT 自动化的最新信息

AI icon

人工智能

平台更新使客户可以在任何地方运行人工智能工作负载

open hybrid cloud icon

开放混合云

了解我们如何利用混合云构建更灵活的未来

security icon

安全防护

有关我们如何跨环境和技术减少风险的最新信息

edge icon

边缘计算

简化边缘运维的平台更新

Infrastructure icon

基础架构

全球领先企业 Linux 平台的最新动态

application development icon

应用领域

我们针对最严峻的应用挑战的解决方案

Original series icon

原创节目

关于企业技术领域的创客和领导者们有趣的故事