Roles and permissions. Under construction.¶
A user's access to the features of Foreman are constrained by the roles and permissions that they are granted. These permissions are also used to restrict the set of hosts and domains that a user is able to access and modify.
Note: a user with global admin enabled is not restricted by the authorization system. This is the default for installations that do not have :login: enabled in config/settings.yml.
A logged in user will be granted the Anonymous role plus one or more additional roles. The permissions associated with these roles are aggregated and determine the final permission set.
Roles may be administered only by a user with global admin privileges.
These may be created, deleted and edited on the Roles page. Each role will be associates with one or more base privileges
These determine the operations that are allowed to be performed upon the items to which they refer. For simple items, like an architecture, this operates as expected but for more complex items, such as the hosts a user is able to operate on, there is an additional layer of security called filtering. When editing a user account there is a section at the bottom that narrows the scope of the permissions granted to a subset of the hosts, domains and host groups.
|Permissions for Architectures, Authentication providers, environments, External variables, Common parameters, Host groups, Medias, Models, Operating systems, Partition tables, Puppet classes and User groups|
|view||The user is allowed to see this type of object when listing them on the index page|
|create||The user is allowed to create this type of object|
|edit||The user is allowed to edit this type of object|
|destroy||The user is allowed to destroy this type of object|
|Permissions for Domains|
|view||The user is allowed to see a list of domains when viewing the index page|
|create||The user is allowed to create a new domain and will also be able to create domain parameters|
|edit||The user is allowed to edit a domain and will also be able to edit a domain's parameters. If they have domain filtering active in their profile then only these domains will be editable|
|destroy||The user is allowed to destroy a domain and will also be able to destroy domain parameters. If they have domain filtering active in their profile then only these domains will be deletable|
|Permissions for Hosts|
|Permissions for Users|
|view||The user is allowed to see a list of users when viewing the index page. A user will always be able to see their own account even if they do not have this permission|
|create||The user is allowed to create a new user|
|edit||The user is allowed to edit existing users. A user will always be able to edit their own basic account settings and password|
|destroy||The user is allowed to delete users from the system|
If the filtering section at the bottom of the user's profile page has no content then the roles that the user has been granted will apply to all hosts within the system.
However, if the filtering section is in use then the permission will apply only to those items selected in the filters and the user will have no access to anything not selected by the filters.
This is primarily a mechanism for restricting access to hosts. However if one or more domains or host groups are selected then this also restricts where parameters can be created and edited.
Filtering operates by generating a list of hosts on which actions can be performed. The list may be built out of four components
- Ownership: The hosts that a user owns directly or hosts that are owned by a user group of which the user is a member.
- Domain membership: The hosts that exist within one or more indicated domains.
- Host group membership: The hosts that are defined as being of one or more host group types.
- Fact filtering: These restrict the hosts to those machines that have this fact associated with them. As a fact is only generated during a puppet run this filter will only refer to machines that have been built and therefore cannot be used to restrict the creation of machines.