Roles and permissions. Under construction.¶
A user's access to the features of Foreman are constrained by the roles and permissions that they are granted. These permissions are also used to restrict the set of hosts and domains that a user is able to access and modify.
Note: a user with global admin enabled is not restricted by the authorization system. This is the default for installations that do not have :login: enabled in config/settings.yml.
A logged in user will be granted the Anonymous role plus one or more additional roles. The permissions associated with these roles are aggregated and determine the final permission set.
Roles may be administered only by a user with global admin privileges.
These may be created, deleted and edited on the Roles page. Each role will be associates with one or more base privileges
These determine the operations that are allowed to be performed upon the items to which they refer. For simple items, like an architecture, this operates as expected but for more complex items, such as the hosts a user is able to operate on, there is an additional layer of security called filtering. When editing a user account there is a section at the bottom that narrows the scope of the permissions granted to a subset of the hosts, domains and host groups.
|Permissions for Architectures, Authentication providers, environments, External variables, Common parameters, Host groups, Medias, Models, Operating systems, Partition tables, Puppet classes and User groups|
|view||The user is allowed to see this type of object when listing them on the index page|
|create||The user is allowed to create this type of object|
|edit||The user is allowed to edit this type of object|
|destroy||The user is allowed to destroy this type of object|
|Permissions for Domains|
|view||The user is allowed to see a list of domains when viewing the index page|
|create||The user is allowed to create a new domain and will also be able to create domain parameters|
|edit||The user is allowed to edit a domain and will also be able to edit a domain's parameters. If they have domain filtering active in their profile then only these domains will be editable|
|destroy||The user is allowed to destroy a domain and will also be able to destroy domain parameters. If they have domain filtering active in their profile then only these domains will be deletable|
|Permissions for Hosts|
|Permissions for Users|
|view||The user is allowed to see a list of users when viewing the index page. A user will always be able to see their own account even if they do not have this permission|
|create||The user is allowed to create a new user|
|edit||The user is allowed to edit existing users. A user will always be able to edit their own basic account settings and password|
|destroy||The user is allowed to delete users from the system|