Hi Team,
I have been looking at the LDAP to awx mapping in the ldap settings part of AWX 9.x.
I can see how to get crude admin/auditor rights assigned to teams/Orgs and users, for example.
But I’m lost to know if it is possible to map/assign/json-code in the same LDAP configurations, some of the more detailed elements of roles existing in the GUI such as
USE, EXECUTE, READ, UPDATE etc, on users, jobs, inventories, projects, orgs and teams etc as described in https://docs.ansible.com/ansible-tower/latest/html/userguide/projects.html or is this just not possible except with post processing of existing users by the gui?
Is there such a mechanism for specifying RBAC json code in the LDAP settings or I’m I stuck with using the GUI to get my finer grained RBAC completed?
Best Regards,
Nik
Your correct, GUI only. But remember, the GUI is just another consumer of the API. You can use the API in automated scripts to accomplish your finer grained RBAC settings.
I believe the convention is to create mappings between LDAP groups and AWX Teams. Then you can create role permissions at the team level.
In fact, this is the only way you can do things reliably, as trying to set permissions at the USER level will fail until the user has actually logged into AWX for the first time (which causes the account creation).
Personally I make use of the “tower_role” Ansible module to configure roles within an Ansible playbook.
Hi Nik,
You can use the following ansible modules for RBAC management:
https://docs.ansible.com/ansible/latest/modules/list_of_all_modules.html
Cli tools and raw API can be used for unsupported cases.
Konstantin.