RBAC (Role Based Access Control)
Role-based access control (RBAC), is a mechanism that restricts Squest access. It involves setting permissions to enable access to authorized users. Permissions are then grouped into Roles and given to a scope which can be a team or and organizations or global. RBAC is the link between a role, a scope and a user.
The Squest RBAC system enable an administrator to grant users or groups the ability to perform an action on arbitrary subsets of objects in Squest.
Permissions
Permission in Squest represent a relationship with following components:
- Name: A short description of the permission.
- Codename: A unique identifier for the permission with camel case format.
- Content type: A Squest object (E.g: Request, Instance)
For example, a permission named "Can request a day2 operation on instance" attached to the content type "instance". This permission is required, like the name is suggesting, to create a request for a day 2 operation on an existing instance.
All objects have generic CRUD (Create, Retrieve/List, Update, Delete) permissions by default:
create_object
to create the objectview_object
to retrieve the objectlist_object
to list object instanceschange_object
to update the objectdelete_object
to delete the object
Note
Full permission list is available in the RBAC section of your Squest instance.
Specific Squest permissions:
Short description | Codename | Object |
---|---|---|
Can add users in global scope | add_users_globalscope | globalscope |
Can delete users in global scope | delete_users_globalscope | globalscope |
Can view users in global scope | view_users_globalscope | globalscope |
Can add users in organization | add_users_organization | organization |
Can delete users in organization | delete_users_organization | organization |
Can view users in organization | view_users_organization | organization |
Can consume quota of the scope | consume_quota_scope | scope |
Can add users in team | add_users_team | team |
Can delete users in team | delete_users_team | team |
Can view users in team | view_users_team | team |
Can approve/reject an approval step | approve_reject_approvalstep | approvalstep |
Can view admin custom link | view_admin_customlink | customlink |
Can request an admin day2 operation on instance | admin_request_on_instance | instance |
Can archive instance | archive_instance | instance |
Can change admin spec on instance | change_admin_spec_instance | instance |
Can request a day2 operation on instance | request_on_instance | instance |
Can unarchive instance | unarchive_instance | instance |
Can view admin spec on instance | view_admin_spec_instance | instance |
Can accept request | accept_request | request |
Can archive request | archive_request | request |
Can cancel request | cancel_request | request |
Can ask info request | need_info_request | request |
Can process request | process_request | request |
Can reject request | reject_request | request |
Can re-submit request | re_submit_request | request |
Can unarchive request | unarchive_request | request |
Can request an admin operation on service | admin_request_on_service | service |
Can request operation on service | request_on_service | service |
Can close support | close_support | support |
Can reopen support | reopen_support | support |
Can sync RHAAP/AWX | sync_towerserver | towerserver |
Note
New permissions can be created in the context of approval steps.
Global permissions
Global permissions are permissions granted to all logged Squest user. Permissions are purely additive (there are no "deny" rules).
Warning
Changing the list of global permissions may impact the global bahavior of Squest. Use with caution.
Owner permissions
Owner permissions are permissions granted to the owner of an Instance, Request or Support.
Are considered as owner:
requester
for Instanceuser
for Requestopened_by
for Support
Configuring "view_instance" permissions within the Owner Permissions will grant users the ability to see all instances for which they are the requester.
Adding "view_support" permission will grant users the ability to see all supports related to their instances and supports they opened.
Warning
Changing the list of owner permissions may impact the global bahavior of Squest. Use with caution.
Roles
A role is a set of permissions. After creating a Role, you can assign it to a user though a team, an organization or globally.
Giving a role to a scope gives permissions to all underlying objects of the scope.