Managing access
Role-based access control (RBAC) is used to grant individual users the permission to perform specific actions. Permissions are grouped into user roles, and each user is assigned at least one user role.
By using permissions, you give users appropriate levels of access and capability. For
example, you can use permissions to allow users to:
- Grant password reset tokens to other users who have forgotten their passwords.
- Edit a local user’s metadata.
- Deploy Puppet code to specific environments.
- Edit class parameters in a node group.
You can do access control tasks in the console or with the RBAC API.
-
User permissions and user roles
The role in role-based access control refers to a system of user roles, which are assigned to user groups and their users. Those roles contain permissions, which define what a user with that role can or can't do within Puppet Enterprise (PE). -
Creating and managing local users and user roles
Role-based access control (RBAC) in Puppet Enterprise (PE) lets you to manage users—what they can and can't create, edit, or view—in an organized, high-level way that is more efficient than managing user permissions on a per-user basis. User roles are sets of permissions you can apply to multiple users. You can't assign permissions directly to users in PE, only to user roles. You then assign roles to users. -
LDAP authentication
Connect PE to an external Lightweight Directory Access Protocol (LDAP) directory service and manage permissions with role-based access control (RBAC). -
SAML authentication
Connect to a Security Assertion Markup Language (SAML) identity provider, like Microsoft ADFS or Okta, to log in to PE with single sign-on (SSO) or multifactor authentication (MFA). -
Token-based authentication
Authentication tokens allow a user to enter their credentials once, then receive an alphanumeric token to use to access different services or parts of the system infrastructure. Authentication tokens are tied to the permissions granted to the user through role-based access control (RBAC), and they provide the user with the appropriate access to HTTP requests. -
RBAC API
Use the RBAC API to manage users, user groups, roles, permissions, tokens, password, and LDAP or SAML connections. -
Activity service API
The activity service records changes to role-based access control (RBAC) entities, such as users, directory groups, and user roles. Use the activity service API to query event data.