pjmcquade
commented
6 years ago Hello,
I was directed here by Red Hat and it seems this topic is similar to the concerns I have around RBAC and LDAP authentication. What I describe below is based upon my current understanding of capabilities and/or limitations of Tower, so if I have misunderstood something, I'm happy to be corrected of course.
Currently I'm using tower 3.2.4 and I have the following scenario:
Let's say I have two orgs in my Tower server, East and West. They both are orgs under the same company, WeatherVane. Note: I understand the org nomenclature in Tower is to view Orgs as logically separated to such a degree where an instance of Tower could be used to host Customers that are competitors i.e. "Whole Foods" and "Walmart").
However, in my case, I want each Org to be able to create their own projects, creds, and templates. To do so, there is the admin role that can be leveraged. There is no way for a Team to do this. To summarize, I am using Orgs like Teams.
Leveraging AD and mapping in Tower, my org mappings look like this:
{
"East": {
"admins": "CN=EastTowerLeads,OU=User,OU=Groups,DC=weathervane,DC=com",
"remove_admins": true,
"users": "CN=EastTowerOperations,OU=User,OU=Groups,DC=weathervane,DC=com",
"remove_users": true
},
"West": {
"admins": "CN=WestTowerLeads,OU=User,OU=Groups,DC=weathervane,DC=com",
"remove_admins": true,
"users": "CN=WestTowerOperations,OU=User,OU=Groups,DC=weathervane,DC=com",
"remove_users": true
}
}Given this arrangement, my East and West Leads can happily create projects, creds, templates etc, and their my East and West Operations can consume their respective Leads content.
However, what if my West Leads produce a really cool playbook they would like to share with East? Currently, this cannot be accomplished unless my West Leads are Org admins of East. But East doesn't want West to be an org admin because of the unmitigated access to projects, creds, and templates...including the power to edit/delete them. Obviously, this is not desired and would wreak havoc with Audit.
I cannot leverage Teams to do this, as I would have to create all Teams under one org to share playbooks AND Teams cannot create projects.
This ends the first enhancement request. Here's the second:
When I am an Org admin and I want to grant permission to a team, I can only see teams that are members of my Org. However, I can see users of other Orgs (provided Tower is configured to let me see all users visible to Org admins is turned on via the "SYSTEM" panel). I can see users not in my org and it appears (untested as of now) I can grant access to these users.....why not teams in another org?
So the ask:
1) I would like a user in one Tower org to be able to make available to users in another organization without also having to be an admin in the second organization. I.e. the option of one Org able to publish to another without being an admin of the other org. 2) I would like the ability to grant access to a team, and grant that access once. If someone joins or leaves that team, I don't want to have to 'refresh' the grant to ensure new members of said team get access. It looks like the "grant to team" looks like a courtesy of a "batch add to the current members of that team", but there's nothing to ensure the grants stay current as members of a team are added. I hope that makes sense.
wenottingham
b0urn3
IAMShashankk
LaurencelleJ
szajac01
ISSUE TYPE
COMPONENT NAME
SUMMARY
Our social and LDAP auth can map users into orgs and teams by assorted attributes.
The request is to be able to map them into roles (team admin, execute on inventory) via attributes.
ADDITIONAL INFORMATION
The syntax for this must be manageable in the interface.
It could be argued that it might be simpler to define a team with the associated roles, and map into that.