Configure Ansible Automation Platform for Self-Service Portal

Learning objectives

By the end of this module, you’ll be able to:

  • Configure role-based access control (RBAC) in Ansible Automation Platform 2.6 for team-based permissions

  • Create teams and assign roles to job templates, inventories, and credentials

  • Set up RBAC in Self-Service Automation Portal using the permissions framework

  • Create permission policies for catalog and scaffolder plugins

  • Build conditional RBAC rules for advanced access control scenarios

  • Validate content synchronization between AAP and Self-Service Portal

Environment background

In your environment you will have access to the following:

  • Ansible Automation Platform. It is set up with users, inventories, credentials, a project, and a number of job templates, all of which will be used in this lab.

  • Self-service automation portal. You will perform the setup in AAP, and in Self-Service Portal to enable different user personas to leverage automation.

  • OpenShift Container Platform. You will have access but you will not need to use it.

FOR BEST RESULTS…​ When logging in and out of Ansible Automation Platform AND Self-Service portal as different users, PLEASE CLOSE AND RE-OPEN YOUR BROWSER IN PRIVATE MODE (New Incognito Window) to ensure you are logged in / logged out as the correct user.

Configuring RBAC in AAP 2.6 that will be used for Self-Service Portal

What is role-based access control (RBAC) in AAP

Ansible Automation Platform (AAP) uses Role-Based Access Control (RBAC) to manage user access to automation resources, ensuring governance, security, and compliance across an enterprise. RBAC is primarily configured within the Automation Controller, the platform’s control plane and web UI.

Key concepts of AAP RBAC

RBAC in AAP operates on the principle of least privilege, meaning users are granted only the permissions necessary to perform their specific job functions. This is managed through a hierarchy of users, teams, and organizations, which are assigned specific roles and permissions to various automation objects.

  • Users: Individuals who log into the platform. They can be normal users, auditors (read-only access to all objects), or administrators (full system privileges).

  • Teams: Logical groupings of users within an organization. Users inherit permissions from the teams they belong to.

  • Organizations: Collections of users, teams, projects, and credentials, serving as a primary container for managing and delegating automation resources.

  • Roles and Permissions: Define what a user or team can do with specific objects (e.g., read, write, or execute job templates, view inventories, manage credentials).

Create 3 teams in AAP:

Log in to the Ansible Automation Platform with the {aap_admin_username} user and password {aap_admin_password}.

Expand the Access Management menu on the left.

Access ManagementTeams+Create Team.

  • cloud-team

  • network-team

  • rhel-team

Create each team as follows and click Create team to save the team(s).

  • Be sure to select the Default organization.

Create Team dialog showing: Name field (text input for team name like 'cloud-team')

Now that you have created the teams, you will assign roles and users to the teams.

Starting with the cloud-team: Access ManagementTeamscloud-teamRoles+Assign roles

Roles tab for cloud-team showing list of currently assigned roles (initially empty) and blue 'Assign roles' button in top right to add new permissions. Click this button to start the multi-step role assignment workflow for job templates
  1. In the Assign roles step one, select Job Template as the resource type, and click Next.

  2. In step 2, select all the job templates that begin with Cloud/AWS, and click Next.

  3. In step 3, select the role to apply, please select Job Template Execute, and click Next.

  4. In step 4, review your work, and click Finish.

Resource Selection step showing checkboxes next to multiple Cloud/AWS job templates including 'Cloud/AWS Create Instance'
Review screen displaying summary of role assignment: Resource type shows 'Job Template'

Repeat the same process for assiging roles by adding the following roles:

Access ManagementTeamscloud-teamRoles+Assign roles → Resource Type: Inventory

For Inventory, select the following 3 inventories and click Next.

  • AWS Inventory

  • Azure Inventory

  • GCP Inventory

  • Next → select Inventory Use as the role to apply → Review your work and click Finish

Inventory selection screen showing checkboxes for 'AWS Inventory'

Access ManagementTeamscloud-teamRoles+Assign roles → Resource Type: Credential

For Credential, select the following 3 credentials and click Next.

  • AWS Credential

  • Azure Credential

  • RHEL - SSH Credentials

  • Next → select Credential Use as the role to apply → Review your work and click Finish

Credential selection screen showing checkboxes for 'AWS Credential'

While still on the cloud-team page, assign the following Users to the cloud-team:

  • Click on the Users tab, and select +Assign users → select the clouduser1, and click Assign users.

Users tab for cloud-team showing current team members list (initially empty) and blue 'Assign users' button in top right. Click button to open user selection dialog where you can select 'clouduser1' from available users and click 'Assign users' to add them to cloud-team

Repeat the same process for role and user assignmens to the network-team and rhel-team teams.

For network-team, assign the following:

  • For Resource Type: Job Template, select all the job templates that begin with Network/, and click Next. Please select Job Template Execute as the role to apply → Review your work and click Finish

  • For Resource Type: Inventory, select the Network Inventory and click Next. Please select Inventory Use as the role to apply → Review your work and click Finish

  • For Resource Type: Credential, select the Network Credentials and click Next. Please select Credential Use as the role to apply → Review your work and click Finish

While still on the network-team page, assign the following Users to the network-team:

  • Click on the Users tab, and select +Assign users → select the networkuser1, and click Assign users.

For rhel-team, assign the following:

  • For Resource Type: Job Template, select all the job templates that begin with Linux/RHEL, AND add 2 other job templates named Cloud/AWS Create RHEL10 instance AND Cloud/AWS Create RHEL9 instance AND RHEL / Update RHEL Time Servers and click Next. Please select Job Template Execute as the role to apply → Review your work and click Finish

  • For Resource Type: Inventory, select the RHEL Inventory AND the AWS Inventory and click Next. Please select Inventory Use as the role to apply → Review your work and click Finish

  • For Resource Type: Credential, select the AWS Credential AND RHEL - SSH Credentials and click Next. Please select Credential Use as the role to apply → Review your work and click Finish

While still on the rhel-team page, assign the following Users to the rhel-team:

  • Click on the Users tab, and select +Assign users → select the rheluser1, and click Assign users.

Verify your RBAC configuration

Before proceeding to the Portal configuration, confirm your AAP RBAC is correctly set up:

Verification 1: Check team creation

Navigate to: Access ManagementTeams

Expected result: You should see 3 teams:

  • cloud-team

  • network-team

  • rhel-team

Verification 2: Confirm cloud-team roles

Click on cloud-teamRoles tab

Expected result: You should see roles assigned for:

  • Job Templates: All Cloud/AWS* templates with "Execute" permission

  • Inventories: AWS, Azure, GCP with "Use" permission

  • Credentials: AWS, Azure, RHEL SSH with "Use" permission

Verification 3: Confirm user assignments

For each team, click the Users tab:

Expected results:

  • cloud-team: clouduser1 assigned

  • network-team: networkuser1 assigned

  • rhel-team: rheluser1 assigned

Troubleshooting: If any verification fails:

  1. Review the role assignment steps for that team

  2. Check that you selected the correct resource type

  3. Verify you clicked "Finish" to save the role assignment

  4. Contact your instructor if issues persist

Awesome! You have now configured RBAC in Ansible Automation Platform.

Validate content synchronization to Self-Service Portal

Now that you have configured RBAC in Ansible Automation Platform, you will configure RBAC in Self-Service Portal. At this point if you log in to the Self-Service Portal as any of the users you created, you will NOT be able to see any job templates - yet. But as an administrator you will be able to see all the job templates.

What you need to do is configure RBAC in Self-Service portal to allow the Portal users to see the automation templates they are authorized to execute. Let’s get to this next

Configuring RBAC in the Self-Service Automation Portal

What is role-based access control (RBAC) in Self-Service Automation Portal

Self-Service Automation Portal uses Role-Based Access Control (RBAC) to manage user authorizations and permissions within the portal. It is built on top of the Red Hat Developer Hub Permissions framework and uses an administrator role to control who can perform actions and access specific resources.

Supported permissions

  • The RBAC system defines permissions across different functional areas:

  • Catalog Permissions: Control actions related to the software catalog, such as catalog.entity.read, catalog.entity.create, catalog.entity.delete, and more…​

  • Scaffolder Permissions: Manage access to software templates and actions, such as scaffolder.action.execute and scaffolder.template.parameter.read and more…​

  • RBAC Permissions: Delegate administrative tasks with policies like policy.entity.create, policy.entity.update, and policy.entity.delete. (The cloud / network / rhel team users will NOT need this permission.)

Log in to the Self-Service portal as {aap_admin_username}

Log in to the Self-Service Portal with the {aap_admin_username} user and password {aap_admin_password}. When asked to Authorize Self-Service Portal? click Authorize. Again, notice that the administrator user can see ALL the job templates. This automatically synchronizes to the Self-Service Portal on a regular interval (configurable in the Self-Service Portal Helm chart).

Self-service portal has a default synchronization schedule of 60 minutes.

At any time as an administrator you can use the Sync now button to trigger an immediate synchronization of Organizations, Users, Teams, and Job Templates from Ansible Automation Platform to the Self-Service Portal.

Self-Service Portal home page as admin user: Top header shows 'Self-Service Portal' title and logged-in username. Left navigation includes Administration and Catalog menu items. Main content area displays job template tiles grouped by category - Cloud/AWS templates shown with blue styling

Configure RBAC in the Self Service Automation Portal

Now let’s configure RBAC in the Self Service Automation Portal to allow the Portal users to see the automation templates they are authorized to execute.

Log in to the Self-Service Portal with the {aap_admin_username} user and password {aap_admin_password}. You need to create a new RBAC role to allow the Portal users to see the automation templates they are authorized to execute. We will create 2 RBAC roles, ssa-portal-users and ssa-portal-rhel-team

Self-Service Portal Administration menu: Click 'Administration' in bottom left corner to expand menu showing options including 'RBAC'

Create the ssa-portal-users role.

  1. In the bottom left corner expand the Administration menu and Click on RBAC, then click on Create.

  2. For the Name field, enter ssa-portal-users.

  3. For the Description field, enter Role for Cloud and Network teams, and click on Next.

  4. For the Add users and groups field, from the dropdown select cloud-team and network-team, scroll down and click on Next.

  5. For the Add permission policies field, from the Select plugins dropdown select Catalog and Scaffolder.

  6. Just below expand the Catalog plugin and select the catalog.entity.read permission.

  7. Just below expand the Scaffolder plugin and select ALL the permissions but NOT scaffolder.template.management permission.

  8. Scroll down and click on Next.

  9. Review your work, and click on Create to save the role.

RBAC role creation wizard for ssa-portal-users: Name field shows 'ssa-portal-users'

Create the ssa-portal-rhel-team role.

  1. In the bottom left corner expand the Administration menu and Click on RBAC, then click on Create.

  2. For the Name field, enter ssa-portal-rhel-team.

  3. For the Description field, enter Role for RHEL team, and click on Next.

  4. For the Add users and groups field, from the dropdown select rhel-team, scroll down and click on Next.

  5. For the Add permission policies field, from the Select plugins dropdown select Catalog and Scaffolder.

    1. Just below expand the Catalog plugin and select the catalog.entity.read permission. At the very end of that row, click the 2 checkmarks in the Actions column to add a condition at the very end of the row.

    2. In the Condition field, select Not, The Add rule option will be selected automatically.

    3. In the Rule dropdown, select HAS_METADATA.

    4. In the key field, enter tags.

    5. In the Value field, enter custom, and click on Save.

    6. You should see the condition added to the row with a green checkmark at the end.

  6. Just below expand the Scaffolder plugin and select ALL the permissions but NOT scaffolder.template.management permission.

  7. Scroll down and click on Next.

  8. Review your work, and click on Create to save the role.

    1. You added a condition to the RBAC role to allow the RHEL team to see the RHEL job templates but NOT the custom job template that will later be backed by a custom template imported directly from a Git repository. (more on this later)

Conditional RBAC configuration interface for catalog.entity.read permission: Click checkmark icon in Actions column to open condition builder. Builder shows: (1) Condition type dropdown with 'Not' selected
RBAC role creation for ssa-portal-rhel-team showing: Name field with 'ssa-portal-rhel-team'

The final view of this section should look like this:

RBAC policies list showing two completed policies: 'ssa-portal-users' with description 'Role for Cloud and Network teams' assigned to 2 groups (cloud-team
Form more details on how to create RBAC roles and permissions, please refer to the Self-Service Portal - RBAC Setup Documentation.

Verify your Portal RBAC configuration

Before testing with user personas, confirm your Portal RBAC policies are correctly configured:

Verification 1: Check policy creation

In Portal, navigate to: AdministrationRBAC

Expected result: You should see 2 policies:

  • ssa-portal-users (for cloud-team and network-team)

  • ssa-portal-rhel-team (for rhel-team with conditional rule)

Verification 2: Validate ssa-portal-users configuration

Click on ssa-portal-users → Review configuration:

Expected results:

  • Users and groups: cloud-team, network-team

  • Catalog permissions: catalog.entity.read

  • Scaffolder permissions: All except scaffolder.template.management

Verification 3: Validate ssa-portal-rhel-team conditional rule

Click on ssa-portal-rhel-team → Review configuration:

Expected results:

  • Users and groups: rhel-team

  • Catalog permissions: catalog.entity.read with condition:

  • Condition type: Not

  • Rule: HAS_METADATA

  • Key: tags

  • Value: custom

  • Scaffolder permissions: All except scaffolder.template.management

Understanding the conditional rule: The Not HAS_METADATA tags=custom condition means the rhel-team will see all job templates EXCEPT those tagged with custom. This prevents them from accessing the custom dynamic template you’ll import in Module 3.

Troubleshooting: If any verification fails:

  1. Review the policy creation steps

  2. Ensure you selected correct teams in "Add users and groups"

  3. For conditional rule: verify exact spelling of key (tags) and value (custom)

  4. Try editing the policy and reapplying the configuration

You’re now ready to test the Portal with different user personas in Module 2!

Learning outcomes

By completing this module, you should now understand:

  • How RBAC works in Ansible Automation Platform 2.6 - The relationship between users, teams, organizations, and permissions, and how to implement least-privilege access control

  • How to configure team-based access control - Creating teams and assigning specific roles to job templates, inventories, and credentials for different IT domains

  • How RBAC works in Self-Service Automation Portal - The permissions framework built on Red Hat Developer Hub and how it controls catalog and scaffolder access

  • How to create permission policies in the portal - Building roles for different user groups and applying conditional rules for advanced access scenarios

  • The synchronization relationship between AAP and the portal - How organizations, users, teams, and job templates automatically sync from AAP to the Self-Service Portal

You’ve successfully configured role-based access control across both Ansible Automation Platform and Self-Service Automation Portal. Your teams now have the proper permissions to access their domain-specific automation. Let’s move on to the next module where you will test the Self-Service Automation Portal from different user perspectives.