Simplifying access management on Hybrid Cloud Console for Red Hat Insights for RHEL with predefined roles

Updated

New RHEL Insights cross-service predefined roles

The Red Hat Hybrid Cloud Console (HCC) has introduced three (3) new system roles with clarity and ease of use in mind:

  • RHEL administrator: this role provides comprehensive administrative privileges across your RHEL systems and Insights. Users assigned this role can manage system configurations, inventory, compliance policies, notifications, patch management, remediations, malware detection, and advisor recommendations. Importantly, they also have the authority to view and modify all vulnerability settings.

  • RHEL operator: empowering users to actively manage your environment, the RHEL Operator role grants the ability to edit system configurations, inventory details, policies, and notification/integration settings. Operators have broad capabilities, mirroring many Administrator functions, however they're restricted from editing compliance policies, content source templates or policies, or tasks; and they cannot execute remediation plans.

  • RHEL viewer: For users who need visibility without the ability to make changes, the RHEL Viewer role offers read-only access to RHEL Insights. This includes viewing system configurations, compliance reports, inventory data, patch information, vulnerabilities, and overall resource states and activities. The only action permitted with this role is to generate activation keys.

Why the change?

Our previous way of managing access, with many roles tied to specific services, presented some challenges:

  • Risk of too much access: users could accidentally end up with more permissions than they actually needed.
  • More work for administrators: it can be time-consuming for administrators to sort through and assign all the detailed service roles.
  • Limited "default" options: the default access may not be flexible enough for the different types of user responsibilities our customers have.

These new RHEL/Insights roles fix these issues by:

  • Making access simpler: we now offer clear, persona-based roles that are easy to understand and assign.
  • Making things more secure: by following the principle of least privilege, you can ensure users only get the permissions they absolutely need. For example, the Operator role is great for common tasks, meaning your users won't need full administrative rights.
  • Boosting efficiency: administrators will spend less time and effort managing user access.
  • Offering more flexibility: We can now accommodate a wider range of user responsibilities with distinct and well-defined access levels.

Leveraging the new RHEL Insights roles in User Access

Integrating these new roles into your user management workflow within the HCC's User Access service is a straightforward process. An interactive demo outlining the process is available below:

To implement these changes:

  1. Navigate to User Access: log into This content is not included.console.redhat.com and click the gear icon (⚙️) in the header to access the "User Access" section.

    • Note: You must be an Organizational Administrator or User Access Administrator to make these changes.

  2. (Recommended) manage the Default access group: for larger organizations, review and adjust the "Default access group" to establish a baseline set of permissions aligned with the new role model for all users.

    • The console's role-based access control (RBAC) is additive. Permissions granted at the default access level will remain if not removed.
    • Current Insights roles in the default access group include:
      • Compliance viewer
      • Content Template viewer
      • Directory and Domain Services viewer
      • Inventory Hosts administrator
      • Patch viewer
      • Policies viewer
      • Remediations user
      • Repositories viewer
      • Resource Optimization user
      • RHC user
      • RHEL Advisor administrator
      • Vulnerability viewer
    • Consider adding the "RHEL viewer" role if all authenticated users should have basic read-only access to Insights.
    • Note: once a change is made to the Default access group, it becomes the Custom default access group.

  3. Manage user groups: User Access allows you to organize users into logical groups. You can either:

    • Select an existing user group to manage, or
    • Create new User Groups specifically tailored for the new RHEL roles (e.g., "RHEL administrators," "RHEL operators") for more precise permission management.

  4. Assign roles to user groups:

    • Within your chosen user group, locate the options to "Add roles" or "Manage roles."
    • In the role assignment interface, you will now clearly see the "RHEL administrator," "RHEL operator," and "RHEL viewer" roles.
    • Select the role that best corresponds to the required level of access for the users within that group for RHEL and Insights functionalities.
    • While multiple roles can be assigned, the new comprehensive RHEL roles should minimize this need.

  5. (Optional) Explore granular control: for specific, less common use cases requiring more granular permissions, clear any filters to display the complete list of service-specific roles. However, the new RHEL administrator, operator, and viewer roles should suffice for most scenarios.

  6. Submit changes: save or apply the changes to the user group. The defined permissions will be immediately effective for all users within that group for RHEL and Insights features.

Conclusion

By strategically adopting the new RHEL administrator, operator, and viewer roles within the User Access service and effectively managing Default access and user groups, organizations can significantly simplify RHEL and Insights permission management. This streamlined approach enhances security by adhering to the principle of least privilege and improves overall operational efficiency. Red Hat plans to introduce similar streamlined roles for other services, including Subscription Management, Red Hat OpenShift, and Red Hat Ansible Automation Platform in the future.

Try them out today at This content is not included.console.redhat.com/iam/user-access/roles.

Article Type