Info on AWX RBAC changes pending release

A few heads-up related to backend changes to the Role-based access control system in AWX, this was merged in:

This was mentioned in some community meetings lately, and I’m excited for it to go out in a release. Key points:

  • This changes the internals of the system in the backend, but adds a compatibility layer so the “old” roles API still exists temporarily
  • The updated UI to use the new system isn’t ready yet, so we are basically shipping the new backend system with the old UI, which will relay on the backwards API support
  • New functionality, specifically custom roles, are possible using direct API clients or the API browser. You can use this, but the presentation in the UI might not be complete.

The main new thing this enables is creating custom roles which can be done via the /api/v2/role_definitions/ endpoint. Then these can only be assigned using the new endpoints, /api/v2/role_user_assignments/ and /api/v2/role_team_assignments/.

If you absolutely don’t want to allow custom roles, you can change the setting ANSIBLE_BASE_ALLOW_CUSTOM_ROLES to False. This is still a file-based setting for now.

The feature I believe will be most useful going forward is the “add” permissions. You could create a custom organization role that allows users to create all (or some) types of resources, and give this for a particular organization. So instead of allowing a user to edit all projects, they can create a new project, and after creating it, they will automatically get admin role just for the objects they created.


We had a major error in the data migration for this. A fix for the issue was merged, and we’ll see about a new release before long.