Hi all, I am trying to implement permissions for our users and teams. Basically, we have 2 types of users:
engineering: allowed to use/add/edit/delete all elements (credentials, inventories, templates, projects, etc.) in the organization (except those related to users, teams, etc.)
architecture: allowed to view all information, but not add/edit/delete
As I have read so far, permissions to users/teams must be given per object, i.e. allow this team to access this template, etc. But this would require to set the permissions each time a new project or credential is added. I don’t want to give the engineering team organization administrator permissions, as this is done only by the boss. We also use (although I think has nothing to do with this) Azure AD authentication, with team/organization mapping that is working fine (when a user logins, is added to the corresponding organization and team).
Have I missed something, or this is not possible? If yes, could anyone explain how to implement the previous permissions?
Don’t assign permissions on an object by object basis, that sounds really painful. What you can do is create a team in OrgA, assign permissions to the team, and put users into that teams. In this scenario, the users in the team have the team-level access for any existing and any new resources in OrgA.
So I’d say create two teams: Eng, and Arch, Eng has admin rights over stuff like workflows, job templates, credentials, inventories, etc (everything required to use AWX). Arch can read or optionally just execute jobs.
Thanks Uriel, that’s exactly my idea. The problem is how to “Eng has admin rights over stuff like workflows, job templates, credentials”. When I edit the permissions of a team, there is no option to allow a team to access all elements of a given type, with an specific permission; you must select an object and then select the role for that object (see images below). This is what I don’t want to do, as it is painful, as you said.
Oh I see what you mean – try the Organizations tab in the Add Permissions menu. Then select the Org you want to give team permissions to (usually the same Org that the Team is associated with) and select which combo of roles you need. This won’t allow the members of that Team to modify Org settings, but will allow them flexibility to create/delete/update Templates/Credentials/Inventories in that Org. For situation where you want to give someone Org admin access (such as the boss), you’d just want to assign the “Admin” role.
