Configure role-based access control for Ansible automation portal
Configure RBAC permissions in Ansible automation portal to control which users can view and execute templates, and which sidebar items are visible to non-admin users.
After you install Ansible automation portal and synchronize it with Ansible Automation Platform, only users with AAP administrator privileges can view the auto-generated templates. You must configure role-based access control (RBAC) permissions to allow non-admin users to view and execute templates.
Ansible automation portal uses two categories of permissions:
- Catalog and scaffolder permissions control whether users can view templates, execute actions, and manage tasks.
- Navigation permissions control which sidebar items and pages are visible to users. Without the required navigation permission, a sidebar item and its associated pages are hidden.
RBAC differs by template type:
- Auto-generated templates: Permissions are synchronized from Ansible Automation Platform. Users must have permissions on the underlying AAP job template.
- Custom templates: Permissions must be explicitly configured within Ansible automation portal. Users must also have permissions to run the associated job templates in Ansible Automation Platform. By default, custom templates are visible to all portal users regardless of their Ansible Automation Platform permissions. If you do not configure RBAC policies, any authenticated user can view and attempt to launch them. Use conditional access policies to restrict custom template visibility to specific teams or users.
Understand the permission model
Ansible automation portal and Ansible Automation Platform use separate but related permission systems.
Ansible automation portal RBAC:
- Controls which users can view templates in the Ansible automation portal catalog.
- Controls which users can access portal templates and submit jobs.
- Controls which navigation items are visible in the sidebar.
Ansible Automation Platform RBAC:
- Controls synchronization scope: Only Ansible Automation Platform job templates accessible by the configured API token (
ansible.rhaap.token) are synchronized to Ansible automation portal. - Controls auto-generated template visibility: Ansible Automation Platform permissions determine whether authenticated users can view and execute auto-generated templates in Ansible automation portal. Custom templates are not filtered by Ansible Automation Platform permissions.
- Validates execution permissions: When a user executes any template, Ansible Automation Platform checks that user's execute permissions on the underlying job template before launching the job. This applies to both auto-generated and custom templates.
If a user can see a template in the catalog but lacks Ansible Automation Platform execute permissions for the associated job template, the user cannot run the job.
Configure RBAC for synchronization
Synchronization uses the Ansible Automation Platform API token configured in Ansible automation portal to determine which data to synchronize from Ansible Automation Platform.
Before you begin:
- You have credentials for an Ansible Automation Platform administrator.
- Synchronization of Ansible Automation Platform organization information from Ansible Automation Platform is complete.
- Users who execute job templates through Ansible automation portal must have job template execute permissions assigned in Ansible Automation Platform.
- The Allow external users to create OAuth2 tokens setting is enabled in in Ansible Automation Platform.
Procedure:
- Log in to Ansible automation portal as an administrator.
- Navigate to .
- Click Create Role and provide a name (for example,
portal-user). - In the Users and Groups section, select the Ansible Automation Platform teams and users to assign to this role. Click Next.
You can only select teams and users from the Ansible Automation Platform organization that you configured for synchronization with Ansible automation portal.
- In the Add permission policies section, select the Catalog plugin from the dropdown menu and enable
catalog.entity.read. - Select the Scaffolder plugin and enable the following permissions:
scaffolder.template.parameter.readscaffolder.template.step.readscaffolder.action.executescaffolder.task.createscaffolder.task.read— Required for users to view previous task runs on the History page.scaffolder.task.cancel
- Add the base navigation permissions so users can see the Templates and History sidebar items:
ansible.templates.viewansible.history.view
- Click Next to review your settings, then click Create.
Your new role appears in the All roles list under .
If you are upgrading from plug-in version 2.1, you must add ansible.templates.view and ansible.history.view to existing roles. Without these permissions, non-admin users cannot see the Templates and History navigation items. For more information, see the upgrade guide for your platform.
Configure conditional access
You can configure conditional RBAC policies to filter role access by tag. This restricts specific teams or users to a subset of job templates. Ansible Automation Platform labels applied to job templates are synchronized to Ansible automation portal as tags.
Ansible Automation Platform labels are converted to lowercase tags with special characters replaced by hyphens. For example, the Ansible Automation Platform label Network-Automation becomes the tag network-automation.
Before you begin:
- Ansible Automation Platform job templates must have Ansible Automation Platform labels applied and synchronized with Ansible automation portal.
- Users who execute job templates through Ansible automation portal must have job template execute permissions assigned in Ansible Automation Platform.
Procedure:
- Log in to Ansible automation portal as an administrator.
- Navigate to .
- Click Create Role and provide a name (for example,
network-portal-user). - In the Users and Groups section, select the Ansible Automation Platform teams and users to assign to this role (for example, the
network-team). Click Next. - In the Add permission policies section, select the Catalog plugin and enable
catalog.entity.read. - Click Conditional to configure a condition-based policy:
- Rule: Select
HAS_METADATA. - Key: Enter
tags. - Value: Enter the tag value to filter by (for example,
network-automation).
- Rule: Select
- Select the Scaffolder plugin and enable all scaffolder permissions listed in the previous procedure.
- Click Next to review your settings, then click Create.
Verification:
- If you configured conditional access by tag, the user should see only templates with the specified tags.
- If you did not configure conditional access, the user should see all Ansible Automation Platform job templates for which they have execute permissions in Ansible Automation Platform.
- To verify execution permissions, attempt to execute a template. If the user has execute permissions in Ansible Automation Platform for the template, the job launches successfully.
Restrict visibility of custom templates
Auto-generated templates inherit visibility from Ansible Automation Platform permissions. Custom templates require a different approach because they are visible to all users by default. Use tag-based conditional policies to restrict which users can see specific custom templates.
- Add a tag to the custom template YAML file in the
metadata.tagsfield:apiVersion: scaffolder.backstage.io/v1beta3 kind: Template metadata: name: deploy-to-prod title: Deploy to Production tags: - restricted - Log in to Ansible automation portal as an administrator.
- Navigate to .
- Create a role for users who should see the restricted template (for example,
template-admins). Assign the role to the appropriate teams or users. Grantcatalog.entity.readand all scaffolder permissions without conditions. - Edit the default authenticated user role to add a conditional policy that hides templates tagged
restricted:- Select the Catalog plugin and enable
catalog.entity.read. - Click Conditional to configure a condition-based policy.
- Rule: Select
HAS_METADATA. - Key: Enter
tags. - Value: Enter
restricted. - Set the condition to NOT so that users in this role can see all templates except those tagged
restricted.
- Select the Catalog plugin and enable
- Click Next to review your settings, then click Create or Save.
Users assigned to the template-admins role see all templates. Users in the default role see all templates except those tagged restricted.
To verify which conditional rules are available in your portal instance, query the GET /api/plugins/condition-rules API endpoint. Use HAS_METADATA with key: tags for catalog-level visibility filtering.
Configure RBAC using policy files
As an alternative to the Administration UI, you can define RBAC roles and conditional policies in configuration files. File-based configuration supports compound conditions that are not available through the UI, such as combining multiple rules with allOf, anyOf, and not operators.
Define roles and basic permissions in a CSV policy file:
g, group:default/platform-admins, role:default/template-admins
p, role:default/default-authenticated, catalog-entity, read, allow
p, role:default/template-admins, catalog-entity, read, allow
p, role:default/template-admins, scaffolder.template.parameter.read, read, allow
p, role:default/template-admins, scaffolder.template.step.read, read, allow
p, role:default/template-admins, scaffolder.action.execute, use, allowDefine compound conditional policies in a YAML file. The following example hides templates tagged restricted from regular users while allowing them to see all other catalog entities:
result: CONDITIONAL
roleEntityRef: 'role:default/default-authenticated'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
anyOf:
- not:
rule: IS_ENTITY_KIND
resourceType: catalog-entity
params:
kinds:
- Template
- allOf:
- rule: IS_ENTITY_KIND
resourceType: catalog-entity
params:
kinds:
- Template
- not:
rule: HAS_METADATA
resourceType: catalog-entity
params:
key: tags
value: restrictedThis condition allows regular users to see all non-Template entities, plus any Template that is not tagged restricted. Users in the template-admins role have an unconditional allow and see all templates.
Add both files to the application configuration:
permission:
enabled: true
rbac:
policies-csv-file: /opt/app-root/src/rbac-policy.csv
conditionalPoliciesFile: /opt/app-root/src/rbac-conditional-policies.yaml
policyFileReload: true
pluginsWithPermission:
- catalog
- scaffolderFor the full conditional policy syntax including the $currentUser alias and all available operators, see the Red Hat Developer Hub authorization documentation.
Permissions reference
| Permission | Resource type | Policy | Description |
|---|---|---|---|
catalog.entity.read |
catalog-entity | read | View synchronized AAP job templates in the Ansible automation portal catalog. |
scaffolder.template.parameter.read |
scaffolder-template | read | Read template parameters in the launch wizard. |
scaffolder.template.step.read |
scaffolder-template | read | Read template steps in the launch wizard. |
scaffolder.action.execute |
scaffolder-action | use | Execute actions through templates. |
scaffolder.task.create |
scaffolder-task | create | Trigger the execution of job templates. |
scaffolder.task.read |
scaffolder-task | read | View task execution history and logs on the History page. |
scaffolder.task.cancel |
scaffolder-task | use | Cancel running templates. |
ansible.templates.view |
— | — | Show the Templates sidebar item and pages. Required for all portal users. |
ansible.history.view |
— | — | Show the History sidebar item and pages. Required for all portal users. |
ansible.execution-environments.view |
— | — | Show the Execution Environments sidebar item and pages. |
ansible.collections.view |
— | — | Show the Collections sidebar item and pages. |
ansible.git-repositories.view |
— | — | Show the Git Repositories sidebar item and pages. |
Adjust synchronization frequency
Ansible automation portal synchronizes users, teams, organization, and job template information from Ansible Automation Platform at regular intervals. By default, synchronization occurs hourly.
To change the synchronization frequency:
- RHEL appliance: Edit /etc/portal/configs/app-config/app-config.production.yaml and update the
schedule.frequencyvalue under thecatalog.providers.rhaapsection. Restart the portal service after saving. - OpenShift Container Platform: Update the
schedule.frequencyvalue in the Helm chart values file and upgrade the Helm release.