Setting Up Permissions for Groups, and Users

2 Setting Up Permissions for Groups, and Users

This chapter describes how Private Automation Hub enables administrators to create roles, groups, and users where permissions can be allocated at the group level and defined at the role level. These permissions are based on role-based access controls.

Note:

You can integrate the Private Automation Hub access levels discussed in this chapter with external identity management services, such as LDAP. Note that LDAP user account information doesn't appear in Private Automation Hub until after the LDAP user account first logs in to Private Automation Hub. See Oracle Linux Automation Manager 2.2: Private Automation Hub Installation Guide for more information about LDAP authentication and mappings for users and groups.

You can assign roles that specify which permissions are available to a group, and hence available to all the users within that group. You can add from the predefined roles listed in the following table.

Note:

Additionally, you can create custom roles based one or more of the predefined permissions.

Table 2-1 Role-Based Access Control Role Descriptions

Role	Permissions	Description
galaxy.collection_admin	Add namespace Change namespace Delete namespace Upload to namespace Modify Ansible repo content Delete collection Change collection remote View collection remote	Members of a group with this role can do the following: Create, change, and delete a namespace. Upload a collection to a namespace. Use the Approval feature to certify or reject content in the Staging repository and thus move it to the Publishing or Rejected repositories. Delete collections. Use the Repository Management feature to Configure remote repositories.
galaxy.collection_curator	Modify Ansible repo content Change collection remote View collection remote	Members of a group with this role can do the following: Use the Approval feature to certify or reject content in the Staging repository and thus move it to the Publishing or Rejected repositories respectively. Use the Repository Management feature to Configure remote repositories.
galaxy.collection_namespace_owner	Change namespace Upload to namespace	Members of a group with this role can do the following: Change a namespace. Upload a collection to a namespace.
galaxy.collection_publisher	Add namespace Change namespace Upload to namespace	Members of a group with this role can do the following: Create and change a namespace. Upload a collection to a namespace.
galaxy.content_admin	Add namespace Change namespace Delete namespace Upload to namespace Change collection remote View collection remote Create new containers Change container namespace permissions Change containers Change image tags Push to existing containers Delete container repository Add remote registry Change remote registry Delete remote registry	Members of a group with this role can do the following: Create, change, and delete a namespace. Upload a collection to a namespace. Use the Repository Management feature to Configure remote repositories. Manage container repositories. Add, change, or delete remote registries added to Private Automation Hub.
galaxy.execution_environment_admin	Create new containers Change container namespace permissions Change containers Change image tags Push to existing containers Delete container repository Add remote registry Change remote registry Delete remote registry	Members of a group with this role can do the following: Manage container repositories. Add, change, or delete remote registries added to Private Automation Hub.
galaxy.execution_environment_collaborator	Change containers Change image tags Push to existing containers	Members of a group with this role can do the following: Change existing execution environments.
galaxy.execution_environment_namespace_owner	Change container namespace permissions Change containers Change image tags	Members of a group with this role can do the following: Create and update execution environments under existing container namespaces.
galaxy.execution_environment_publisher	Create new containers Change container namespace permissions Change containers Change image tags Push to existing containers	Members of a group with this role can do the following: Push, and change execution environments.
galaxy.group_admin	Add group Change group Delete group	Members of a group with this role can do the following: View, add, remove and change groups.
galaxy.task_admin	Change task Delete task View all tasks	Members of a group with this role can do the following: View, and cancel any task.
galaxy.user_admin	Add a standard user Change a standard user Delete a standard user View a standard user Note: Only a super user can edit super user accounts. The galaxy.user_admin role's permissions apply to standard users only.	Members of a group with this role can do the following: View, add, remove and change users.
galaxy.collection_remote_owner	View collection remote Add collection remote Change collection remote Delete collection remote Manage remote roles	Members of a group with this role can manage collection remotes.
galaxy.ansible_repository_owner	Modify Ansible repo content Sign collections View Ansible repository Add Ansible repository Change Ansible repository Delete Ansible repository Manage repository roles Repair Ansible repository	Members of a group with this role can manage repositories.

Role

Permissions

Description

galaxy.collection_admin

Add namespace

Change namespace

Delete namespace

Upload to namespace

Modify Ansible repo content

Delete collection

Change collection remote

View collection remote

Members of a group with this role can do the following:

Create, change, and delete a namespace.
Upload a collection to a namespace.
Use the Approval feature to certify or reject content in the Staging repository and thus move it to the Publishing or Rejected repositories.
Delete collections.
Use the Repository Management feature to Configure remote repositories.

galaxy.collection_curator

Modify Ansible repo content

Change collection remote

View collection remote

Members of a group with this role can do the following:

Use the Approval feature to certify or reject content in the Staging repository and thus move it to the Publishing or Rejected repositories respectively.
Use the Repository Management feature to Configure remote repositories.

galaxy.collection_namespace_owner

Change namespace

Upload to namespace

Members of a group with this role can do the following:

Change a namespace.
Upload a collection to a namespace.

galaxy.collection_publisher

Add namespace

Change namespace

Upload to namespace

Members of a group with this role can do the following:

Create and change a namespace.
Upload a collection to a namespace.

galaxy.content_admin

Add namespace

Change namespace

Delete namespace

Upload to namespace

Change collection remote

View collection remote

Create new containers

Change container namespace permissions

Change containers

Change image tags

Push to existing containers

Delete container repository

Add remote registry

Change remote registry

Delete remote registry

Members of a group with this role can do the following:

Create, change, and delete a namespace.
Upload a collection to a namespace.
Use the Repository Management feature to Configure remote repositories.
Manage container repositories.
Add, change, or delete remote registries added to Private Automation Hub.

galaxy.execution_environment_admin

Create new containers

Change container namespace permissions

Change containers

Change image tags

Push to existing containers

Delete container repository

Add remote registry

Change remote registry

Delete remote registry

Members of a group with this role can do the following:

Manage container repositories.
Add, change, or delete remote registries added to Private Automation Hub.

galaxy.execution_environment_collaborator

Change containers

Change image tags

Push to existing containers

Members of a group with this role can do the following:

Change existing execution environments.

galaxy.execution_environment_namespace_owner

Change container namespace permissions

Change containers

Change image tags

Members of a group with this role can do the following:

Create and update execution environments under existing container namespaces.

galaxy.execution_environment_publisher

Create new containers

Change container namespace permissions

Change containers

Change image tags

Push to existing containers

Members of a group with this role can do the following:

Push, and change execution environments.

galaxy.group_admin

Add group

Change group

Delete group

Members of a group with this role can do the following:

View, add, remove and change groups.

galaxy.task_admin

Change task

Delete task

View all tasks

Members of a group with this role can do the following:

View, and cancel any task.

galaxy.user_admin

Add a standard user

Change a standard user

Delete a standard user

View a standard user

Note:

Only a super user can edit super user accounts.

The galaxy.user_admin role's permissions apply to standard users only.

Members of a group with this role can do the following:

View, add, remove and change users.

galaxy.collection_remote_owner

View collection remote

Add collection remote

Change collection remote Delete collection remote

Manage remote roles

Members of a group with this role can manage collection remotes.

galaxy.ansible_repository_owner

Modify Ansible repo content

Sign collections

View Ansible repository

Add Ansible repository

Change Ansible repository

Delete Ansible repository

Manage repository roles

Repair Ansible repository

Members of a group with this role can manage repositories.

Setting Up Users

Private Automation Hub provides the following user types:

The Default admin Super User

When you install Private Automation Hub, a super user with username admin is created for you automatically. The admin account enables you to log in and set up your system, for example by creating users, other super users, groups, and roles as required by your organization. By default, admin does not belong to any group.

Note:

Super users, such as admin, have all system permissions regardless of groups they belong to.

Super Users

Private Automation Hub enables you to use a super user account to create other super users in addition to the default admin user.

Users

Private Automation Hub also enables you to create standard users who do not have super-user privileges.

Note:

Standard users get most permissions by virtue of their group memberships.

For example, if you create standard user standard_user_1, the newly created user will not be able to upload any collections to the namespaces you have in your Private Automation Hub. To enable standard_user_1 to upload collections to existing namespaces, you would need to carry out additional steps similar to the following:

Create group Group_Namespace_Uploaders.
Assign a built-in role, for example galaxy.collection_namespace_owner, that has permissions to upload to a namespace, to group Group_Namespace_Uploaders.
Add standard_user_1 to group Group_Namespace_Uploaders.
Verify standard_user_1 can log on and upload collections to namespaces in Private Automation Hub.

For more information on groups and roles see Setting Up Permissions for Groups, and Users, Setting Up Roles, and Setting Up Groups

To set up a user, do the following:

Log into Private Automation Hub.
From the User Access section, click Users.

The Users page appears.
Click the Create button.

The Create new user page appears.
In the Username field, enter a username.
In the First name field, enter a first name.
In the Last name field, enter a last name.
In the Email field, enter an email address.
In the Password field, enter a password.

Note:
The password must contain at least 9 characters, and include special characters , ex <!@$%>. Avoid using common names or expressions.
In the Password confirmation field, repeat the password.
From the Groups list, select one or more groups.
Click the User type button if you want the user to have super-user privileges.
Click Save.

Setting Up Roles

To create custom roles based on permissions associated to the predefined roles, do the following:

Log into Private Automation Hub.
From the User Access section, click Roles.

The Roles page appears listing all available predefined and custom roles.
Click the Add roles button.

The Create a new role page appears.
In the Name field, enter a role name. The name must begin with the word galaxy. and can contain only letters and numbers.
In the Description field, enter a description of the role.
In the permissions area, select one or more permissions from one or more of the predefined permissions.
Click Save.
Your newly created role is added to the list on the Roles page.

Setting Up Groups

To create a group, do the following:

Log into Private Automation Hub.
From the User Access section, click Groups.

The groups page appears.
Click the Create button.

The Create a group dialog appears.
In the Name field, enter a name for your group.
Click Create.
A new page for the group appears.
Click the Access tab.
Click Add roles.
The Add roles dialog appears.
From the Select roles area, select from the list of roles that define the permissions available to users associated to this group. For more information about the predefined roles, see Setting Up Permissions for Groups, and Users. For more information about custom roles, see Setting Up Roles.
Click Next.
The Preview page appears.
Click Add.
The group page appears.
Click the Users tab.
A list of users associated to the group appears. As this group is newly created, no users are listed.
Click Add.
The Add selected users to group dialog appears.
From the list, select one or more user.
Click Add.
The users you have added now appear in the Users tab.