Role-based access control

This version is out of date. For current versions, see Puppet Enterprise support lifecycle.

In Puppet Enterprise (PE), role-based access control (RBAC) is used to manage user permissions. Permissions define what actions users can perform on designated objects. For example:

  • Can the user grant password reset tokens to other users who have forgotten their passwords?

  • Can the user edit a local user’s metadata?

  • Can the user edit class parameters in a node group?

Permissions are assigned to user roles rather than directly to users. To grant a permission to a user, you first need to assign the user to one or more user roles. Users inherit all of the permissions from each user role they are in. PE ships with four default user roles: Administrators, Code Deployers, Operators, and Viewers. In addition, you can create custom roles.

By using permissions, you give the appropriate level of access and agency to each user who works with PE. For example, you might want to create a user role that grants users permission to view but not edit a specific subset of node groups. Or you might want to divide up administrative privileges so that one user role is able to reset passwords while another can edit roles and create users. A full list of available permissions is available in the RBAC permissions overview.

External directories

PE can connect to external LDAP directories. This means that you can create and manage users locally in PE, import users and groups from an existing directory, or do a combination of both. PE supports OpenLDAP and Active Directory. If you have predefined groups in your Active Directory or OpenLDAP directory, you can import these groups into the PE console and assign user roles to them. Users in an imported group inherit the permissions specified in assigned user roles. If new users are added to the group in the external directory, they also inherit the permissions of the role to which that group belongs.

RBAC and activity services

Access control is handled by the RBAC service, and activity within the RBAC system is recorded by the activity service. You can interact with these two services through the PE console. Alternatively, you can use the RBAC service API and the activity service API. The RBAC service manages users, user groups, user roles, permissions, authentication tokens, external directory connections, and passwords. The activity service logs events for user roles, users, and user groups.

For more information about using RBAC, see:

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.