The multi-tenancy RBAC features of Tower are sufficient to control who can run certain projects on what systems. For instance, you could easily control that engineering could not push to production.
All playbooks are executed via the “awx” filesystem user. For running jobs, Ansible Tower defaults to offering job isolation via Linux namespacing and chroots. This projection ensures jobs can only access playbooks and roles from the Project directory for that job template and common locations such as /opt
. Playbooks are not able to access roles, playbooks, or data from other Projects by default.
If you need to disable this projection (not recommended), you can edit /etc/tower/settings.py
and set AWX_PROOT_ENABLED
to False
.
Note
In this scenario, playbooks have access to the filesystem and all that that implies; therefore, users who have access to edit playbooks must be trusted.
For credential security, users may choose to upload locked SSH keys and set the unlock password to “ask”. You can also choose to have the system prompt them for SSH credentials or sudo passwords rather than having the system store them in the database.
A role is essentially a collection of permissions and all users receive permissions only through the roles to which they are assigned or through roles they inherit through the role hierarchy. Within an organization, roles are relatively stable, while users and permissions are both numerous and may change rapidly.
Role-Based Access Controls (RBAC) are built into Tower and allow Tower administrators to delegate access to server inventories, organizations, and more. Administrators can also centralize the management of various credentials, allowing end users to leverage a needed token without ever exposing that token to the end user. RBAC controls allow Tower to help you increase security and streamline management.
RBACs are easiest to think of in terms of who or what can see, change, or delete an “object” for which a specific permission is being set.
Views
User records can be viewed by the user who owns the user record, by the Organization Admin (if the user is a part of the organization they are associated with), and by the Super User.
Changes
The user who owns the user record can makes changes to that user record, as can the Organization Admin (if the user is a part of the organization they are associated with), and the Super User. Organization Admins can add users to their organizations. Super Users can add users to any organization.
Deletions
The Organization Admin can remove a user if the user is a part of their organization. Super Users can remove any user from any organization as needed.
Views
Users who can see an organization must be a member of that organization, must be the Organization Admin for that organization, or a Super User.
Changes
Only Organization Admins (for the particular organization they are associated with) and Super Users can make changes to an organization.
Deletions
Only Organization Admins (for the particular organization they are associated with) and Super Users can remove an organization.
Views
Super Users can view any inventory and Organization Admins (for the particular organization they are associated with) can view inventories for their organization. Users or Teams associated with the inventory who have Read, Write, or Administrator privileges can also view the inventory for which they have explicit permission granted.
Changes
Super Users can edit any inventory and Organization Admins (for the particular organization they are associated with) can edit inventories for their organization. Users or Teams associated with the inventory who have Write or Administrator privileges granted can also edit an inventory.
Deletions
Super Users can remove any inventory and Organization Admins (for the particular organization they are associated with) can remove inventories for their organization. Users or Teams associated with the inventory who have the Administrator privilege granted can also remove an inventory.
Ad Hoc Commands
Super Users and Organization Admins (for the particular organization they are associated with) can run ad hoc commands against inventories for their organization. Users or Teams associated with the inventory who have Read, Write, or Administrator privileges granted, with the “Run Ad Hoc Commands” checkmark selected can also remove an inventory.
Views
Anyone who can view an inventory can view hosts assigned to that inventory.
Changes
Super Users can edit any inventory host and Organization Admins (for the particular organization they are associated with) can edit inventory hosts for their organization. Users or Teams associated with the inventory who have Write or Administrator privileges granted can also edit an inventory host.
Deletions
Super Users can remove any inventory host and Organization Admins (for the particular organization they are associated with) can remove inventory hosts for their organization. Users or Teams associated with the inventory who have the Administrator privilege granted can also remove an inventory host.
Views
Anyone who can view an inventory can view hosts assigned to that inventory.
Changes
Super Users can edit any inventory group and Organization Admins (for the particular organization they are associated with) can edit inventory groups for their organization. Users or Teams associated with the inventory who have Write or Administrator privileges granted can also edit an inventory group.
Deletions
Super Users can remove any inventory group and Organization Admins (for the particular organization they are associated with) can remove inventory groups for their organization. Users or Teams associated with the inventory who have the Administrator privilege granted can also remove an inventory group.
Views
Super Users can view any inventory update and Organization Admins (for the particular organization they are associated with) can view inventory updates for their organization. Users or Teams associated with the inventory with Administrator privileges granted can also see inventory updates.
Deletions
Super Users can remove any inventory update and Organization Admins (for the particular organization they are associated with) can remove inventory updates for their organization. Users or Teams associated with the inventory with Administrator privileges granted can also remove inventory updates.
Views
Super Users and Organization Admins (for the particular organization they are associated with) can view credentials. The User or Team which owns the credential can also view it.
Changes
Super Users and Organization Admins (for the particular organization they are associated with) can edit credentials. The User or Team which owns the credential can also edit it.
Deletions
Super Users and Organization Admins (for the particular organization they are associated with) can remove credentials. The User or Team which owns the credential can also remove it.
Views
Super Users and Organization Admins (for the particular organization they are associated with) can view Teams. The users associated with that Team can also view the Team.
Changes
Super Users and Organization Admins (for the particular organization they are associated with) can edit Teams.
Deletions
Super Users and Organization Admins (for the particular organization they are associated with) can remove Teams or individual team members.
Views
Super Users and Organization Admins (for projects linked to the organization they are associated with) can view projects. Users or Teams associated with a project can also view that project. Users or Teams granted explicit permission for a project can also view that project, even if they are outside of the organization for which the project is associated.
Changes
Super Users and Organization Admins (for projects linked to the organization they are associated with) can edit projects.
Deletions
Super Users and Organization Admins (for projects linked to the organization they are associated with) can remove projects
Views
Super Users and Organization Admins (for project updates linked to the organization they are associated with) can view projects. Users or Teams associated with a project can also view that project. Users or Teams granted explicit permission for a project can also view that project, even if they are outside of the organization for which the project is associated.
Changes
Super Users and Organization Admins (for project updates linked to the organization they are associated with) can edit projects.
Deletions
Super Users and Organization Admins (for project updates linked to the organization they are associated with) can remove projects
Job Templates have three associated actions–Check, Run, and Create.
Views
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can view job templates. Users granted access to view the inventory, project, and credential can view an associated job template. Users with explicit team-based permissions granted during the job template setup can also view an associated job template. If you can see jobs run on the Job Template, you can view the job template.
- System Job Templates: Only Super Users can view.
- Ad hoc commands: Super Users and Organization Admins (for job templates linked to the organization they are associated with) can view ad hoc command job templates. Users and team members with explicit team-based Read permissions granted, along with the ad hoc command flag set, can also view ad hoc command job templates.
Launch
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can launch job templates. Users granted team-based Run or Check level permissions or Users with team-based Create level permissions can launch job templates for which they are associated. If you can view it, you can start it.
- System Job Templates: Only Super Users can launch.
- Ad hoc commands: Super Users and Organization Admins (for job templates linked to the organization they are associated with) can launch ad hoc command job templates. Users and team members with explicit team-based Read permissions granted, along with the ad hoc command flag set, can also launch ad hoc command job templates.
Create
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can create job templates. Users granted a team-based Create level permission can also create a job template.
- System Job Templates: Only Super Users can create.
Deletions
Super Users and Organization Admins (for job templates linked to the organization they are associated with) can remove job templates. Users granted team-based Create level permissions can also remove a job template. Anyone with permission to create a job template also has permission to remove it.
- System Job Templates: Only Super Users can remove.
View
Activity Stream information is available as read-only. Users can only see activity on objects for which they have been granted permission to view. If a user cannot see the job template or the organization, they cannot view anything in the activity stream for those two events.
Cleanup Job
Only Super Users can access this activity stream.