Mimic System Group Administrator Role with Active Directory as LDAP Authentication Backend

For Red Hat customers using Satellite 5 and its “System Groups” & “System Group Administrator” functionality, only specified users are allowed to manage certain groups of systems (system groups).

 

With Satellite 6’s role-based access, however, the “System Group Administrator” role does not exist. Often, customers wish to replicate the system-group functionality they have in Satellite 5 when they transition to Satellite 6.

 

This document is attempted to address this. Note that, it’s not a complete perfect role setup due to the complexity of permissions, resources, and their relationship within Satellite 6, but it works well for the purpose of limiting management access of a group of users on a group of systems.

 

Prerequisites

  • A working LDAP Authentication with Active Directory has been setup.

  • Well defined users and groups in AD. In our example, let’s use Starfleet divisions (Starfleet division) for grouping. There are 3 groups: Command, Operations and Sciences.

 

Procedure

Step 1: Host Collections

  • Create the needed Host Collections (i.e.: System Group in Satellite 5) and populate them with desired systems.
  • For simplicity and as an example, Host Collection would be grouped like AD User Groups and prefixed with “hc-“. They are hc-command, hc-operations and hc-sciences.

 

Step 2: Roles and Filters

  • Create the needed Roles and their associated Filters.

  • This is the most important step and the main step that set up the permissions.
  • For simplicity and as an example Role would be grouped like AD User Groups and prefixed with “role-“. They are role-command, role-operations and role-sciences.

  • Adjust to your preference accordingly what permissions should the role have or can see. The above is a good working example.
  • Brief Resource and Permissions explanations:
  1. Organization (view_organizations): Must have, since it seems all/most resources are under an organization, view permission is needed or else many things don’t work.
  2. (Miscellaneous), Bookmark, Config report, Report: This mostly allow the role to be able to view various status and report, as a nice thing to have.
  3. Satellite tasks/task (view_foreman_tasks): This allow the role to see its kicked off tasks, with a limit on only seeing the current_user’s tasks by using a search filter.
  4. Content Host, Host, Host Collections: These are the important permissions that allow the role to perform actions on the systems that it’s allowed to manage. Note that not only there are view permissions, the edit permissions are needed on these resources to allow performing actions. Also, these permissions are limited by a search filter via host_collection parameter. For role-command, the host_collection parameter would be limited by hc-command created before. Thus, effectively allowing only the systems in Host Collection hc-command to be managed by Role role-command.
  5. Job invocation, Job template, Template invocation: These permissions allow the role to kick off jobs on systems with built-in/custom job templates.

 

Step 3: User Groups

  • Create the needed internal User Groups.
  • The important matters are to associate it with a preferred role and link it to the desired external group.
  • For simplicity and as an example User Group would be grouped like AD User Groups and prefixed with “ug-“. They are ug-command, ug-operations and ug-sciences.
  • For ug-command, role-command is associated with it. Thus, effectively User Group ug-command would have the permissions of Role role-command.

  • For ug-command, external group Command from AD is linked to it.

  • Thus, when any member of the AD group Command log into Satellite, it would belong to this User Group, and its user account will be created automatically. Based on the fact that this User Group is associated with role-command, then the user would inherit the permissions of role-command.

 

Thus, effectively, using a role with a limited search filter on a specific host collection would achieve “System Group Administrator” function like in Satellite 5.


Connect with Red Hat Services

Learn more about Red Hat Training
Learn more about Red Hat Certification
Subscribe to the Training Newsletter
Follow Red Hat Services on Twitter
Follow Red Hat Open Innovation Labs on Twitter
Like Red Hat Services on Facebook
Watch Red Hat Training videos on YouTube
Follow Red Hat Certified Professionals on LinkedIn
Creative Commons License

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.