Hey was wondering if it was possible if the AWX administrator can “BECOME” another user so I can see what they have access to, and the effect “Permissions/Orginizations/Teams” give them.
I don’t want to keep asking. “Check now” every time someone wants access to inventory/Job/… and since we are user our Corporate LDAP I can’t just change their password.
So should I presume no feature to test user privileges exist in AWX? And you have to login as the user?
I’m not aware of anything like that besides logging in as them, but I’d probably look into revising your permissions/team/org map if this is something that’s occurring regularly.
Thanks, that really sucks but I get the implications of having something like that might be too risky.
Ah well Thanks for the response.
This would be an awesome feature Perry! Some design decisions would have to be flushed out. Would this sort of be an impersonation thing … or would you want a page with a list of verbs that a user can do to a list of objects? Or would you click on an object and then select the user for which you want to know what verbs that user can do? Or something else entirely?
The feature would be great for administration but the more I think about it. Very dangerous so auditing would have to be a lot more.
For example, as a “Administrator” I become a another user, I could then execute anything as if I were them.
So you would have to come up with: any action would be verified against a Member user but everything executed as Admin User Or you could make things read only to stop the changes from being made, or playbooks from being run.
The implementation would be simple to just allow the Admin to by pass Password Authentication of another user. After that you would have full RW as another user.
Ideally this feature should be enabled/disabled so you can Harden the system for production.