Use tower_user for organization admin user

Hello

I’m using awx collection to manage our AWX platform.
I have an issue when an organisation admin wants to create a user with tower_user.

He received this error “You don’t have permission to POST to /api/v2/users/ (HTTP 403).” as he can’t specify the organisation. The API call is not done to the organisation level.
Is there a workaround for organisation admin to create user using awx collection ?

Regards

Mickael

Hi Mickael

Are you trying to create a user in another organisation that the admin user is not part of? That is not allowed, as it’s considered a security loophole (that’s why you can’t specify an org)

Phil.

Hi

Here a simple tasks of what I am trying to do :

  • name: AWX configuration
    hosts: localhost
    environment:
    TOWER_USERNAME: test
    TOWER_PASSWORD: testtest
    TOWER_HOST: https://XXXXXXXXX/
    TOWER_VERIFY_SSL: “false”
    collections:
  • awx.awx
  • community.general
    tasks:
  • name: Add tower user
    tower_user:
    username: jdoe
    password: foobarbaz
    email: jdoe@example.org
    first_name: John
    last_name: Doe
    state: present

I received this error :

TASK [Add tower user] ******************************************************************************************************************************
fatal: [localhost]: FAILED! => {“changed”: false, “msg”: “You don’t have permission to POST to /api/v2/users/ (HTTP 403).”}

The user test is not system administrator but he is organisation admin of a test organisation.

The module tower_user doesn’t got any organisation parameter. It does an API call to /api/v2/users/ , this API create a user not member to any organisation.

I would like our organisation admin to use awx.tower_user instead of the GUI but it seems not possible.
Any idea ?

Regards
Mickael

I can’t get environment to behave properly, this maybe a bug or design omission for the module.
Use a config file as per the module documentation and it’ll work.

Yes, it works as the admin user:

TASK [Add tower user] ******************************************************************************************************************************
changed: [localhost]

So I’m assuming the org admin role doesn’t have permissions to hit the API endpoint, only admin.