In our previous Getting Started blog post, we discussed how to install Ansible Tower in your environment.
Now we’ll discuss how you can equip your Tower host with users and credentials.
To begin, let’s cover the essentials: setting up your user base and creating credentials for appropriate delegation of tasks.
How To Set Up A User Base
Building your user base will be the first thing you’ll need to do to get started with Tower. The user base can be broken into three easily-defined parts:
1. User: Someone who has access to Tower with associated permissions and credentials.
2. Organization: The top level of the user base - a logical collection of users, teams, projects and inventories.
3. Team: A subdivision of an organization - provides the means to set up and implement role-based access schemes as well as to delegate work across organizations.
Understanding User Types
There are three types of users that can be defined within Tower:
- Normal User: A user that is given no special permissions from the beginning - they must be granted to them by a system administrator.
- System Auditor: A user who will have view access only within Tower.
- System Administrator: A user who has the power to grant and remove credentials, move users to different organizations and teams and other exclusive privileges.
Ready To Create A User?
1. Select the settings gear in the top right and select users. This will take you to the users page. Note: If you are starting fresh, only the “admin” account will be displayed.
Note: If you are starting fresh, only the "admin account" will be displayed.
2. Select the green “+Add” button and a user creation page will be displayed. From here, you will need to enter some information about the user such as their name and email address.
From this page, you will also create their default password that can be changed by them once they login for the first time. After you set their password, this is where you will set their “User Type” (System Auditor, etc).
3. Save the user. You can now grant the user individual credentials (discussed below) and add them to organizations or teams (you will create these later in the post) from the edit user screen.
Now let’s move on to organizations.
Organizations are the top level of your structure that you create in Tower. To create one, you must be a superuser or admin for the Tower instance.
Here are the steps to create one:
1. Select the admin settings in the top right hand corner
2. Select the “Organization” box.
3. Select the green “+Add” button and this will open a new screen for you where you can name and add a description for the new organization.
Note: Near the top you will also see some boxes labeled Users and Notifications but cannot select them. To add users and other parts of Tower to the organization, you must first save the new organization.
Once that is complete, you can click on your newly created organization and edit it as needed. In the organization box, you can also view the stats for your organization(s), including the amount of users, projects and inventories under its umbrella.
Teams within Tower are the next part of the user base you’ll want to set up. Teams help you grant permissions to inventories or projects to a specific team rather than to just one user or to an entire organization.
Creating teams is just as simple as creating an organization.
1. Navigate to the settings page as you did to create your organization and select Teams.
2. Select the green “+Add” button.
3. Name your team from the new modal window that appears.
4. Select the organization this team will be under.
5. Save the team. Now that the team is saved and added to an organization, you can select it to add existing users to the team as needed.
Credentials and Role Based Access Control
Congratulations on setting up your user base! It’s now time to use Ansible Tower’s role based access control (RBAC) to delegate what users can and cannot do within Tower.
Credentials are the base for all of those controls. Credentials are utilized in Tower to authenticate when launching jobs against machines, sync inventory sources and for importing project content from a version control system such as GitHub.
Access can be granted to teams, users and organizations from a system administrator without exposing credentials to any user. Only a system administrator can make changes to credentials, so you don’t have to worry about re-keying your credentials or changing anything within the credential.
Your SSH key is also encrypted once you add in the key and save it so it can never be copied from Ansible Tower.
Creating credentials is quick and easy. Here are the steps to create them:
1. Go to the Settings page, the gear in the top right hand side of the Tower UI and then select credentials.
2. Select the green “+Add” button.
3. This will take you to the credential creation screen. From here, choose a name for the credential.
4. After you have named the credential, it’s now time to choose a type based on what this credential will be used for. Examples include: Machine, Network, Cloud, Amazon Web Services, Red Hat CloudForms and many more.
5. Once you have a credential type selected, you will need to provide the proper authentication credentials in the corresponding textboxes. Ex: Username, AWS Access Key, VCenter Host Name etc.
6. Click save and start applying that credential to other features of Tower that can have permissions added to them, such as projects and job templates.
Now that you’ve read how to setup your user base and credentials, you are one step closer to completing IT Automation tasks with Ansible Tower.
Stay tuned for our next Getting Started series post. Next, we will discuss how you can get your inventory set up and how to get your Playbooks into their new home in the projects section of Ansible Tower.
In the meantime, explore our Beginner's Guide Whitepaper: Control Ansible Tower.