User permissions and user roles
The role in role-based access control refers to a system of user roles, which are assigned to user groups and their users. Those roles contain permissions, which define what a user with that role can or can't do within Puppet Enterprise (PE).
When you add users to PE, they don't have permission to do anything until you associate them with a user role, either explicitly through role assignment or implicitly through group membership and role inheritance. When a user is assigned to a role (or inherits a role from a group), they receive all the permissions from that role.
- Administrators
- Can manage users and permissions, create and modify node groups and other objects.
- Operators
- Can create and modify node groups and other objects.
- Viewers
- Can view, but can't modify, objects in the console.
- Code Deployers
- Can synchronize code from version control systems to Puppet Server.
- Project Deployers
- Can deploy projects and run project tasks and plans.
You can also create custom roles. For example, you might want to create a user role that grants users permission to view but not edit a specific subset of node groups. Or you might want to divide up administrative privileges so that one user role is able to reset passwords while another can edit roles and create users.
Permissions are additive. If a user is associated with multiple roles, that user is able to perform all of the actions described by all of the permissions on all of the applied roles.
Structure of user permissions
User permissions are structured as a triple of type, permission, and object.
- Types: Any thing that can be acted on in Puppet Enterprise (PE), such as node groups, users, or user roles.
- Permissions: What you can do with each type, such as create, edit, or view.
- Objects: Specific instances of types.
Type | Permission | Object | Description |
---|---|---|---|
Node groups | View | PE Master | Gives permission to view the PE Master node group. |
User roles | Edit | All | Gives permission to edit all user roles. |
When no object is specified, then the permission applies to all objects of the specified
type. In those cases, the object is All
. This is denoted
by "*"
in the RBAC API.
In both the console and the API, "*"
is used to express a permission for which an object doesn’t make
sense, such as when creating users.
Reference: User permissions and names
This reference describes the permissions granted to the five default Puppet Enterprise (PE) user roles, as well as the display name and system name for each type and permission.
Permissions vary by type. Permission scope can, sometimes, be refined by an object specification. For an explanation of these terms, refer to Structure of user permissions.
Each type and permission has a display name, which is the name you see in the PE console, and a system name, which is the name used in the RBAC API. The Permissions for default roles table uses display names. Refer to the Display names and system names table to find the corresponding system name for each display name.
Permissions for default roles
This table lists permissions granted to the default PE user roles, a description of what is allowed by each permission, any object specification or node group inheritance conditions, and which roles (if any) the permissions are assigned to by default.
Type | Permission | Definition | Roles |
---|---|---|---|
Certificate request | Accept and reject | Accept and reject certificate signing requests. Object
must always be |
|
Configuration | View and edit | View and edit configuration, such as the disclaimer message on the PE console login page. | Administrators |
Console | View | View the PE
console. Object must always be |
|
Directory service | View, edit, and test | View, edit, and test directory service settings. Object
must always be |
Administrators |
Job orchestrator | Start, stop and view jobs | Start and stop jobs and tasks, view jobs and job progress, view an inventory of nodes that are connected to the PCP broker. |
|
Node groups | Create, edit, and delete child groups | Create new child groups, delete existing child groups,
and modify every attribute of child groups except environment. This permission is inherited by all descendents of the node group. |
|
Node groups | Edit child group rules | Edit the rules of descendents of a node group. This
does not grant the ability to edit the rules of the group in the
This permission is inherited by all descendents of the node group. |
|
Node groups | Edit classes, parameters, and variables | Edit every attribute of a node group except its
environment and rule. This permission is inherited by all descendents of the node group. |
|
Node groups | Edit configuration data | Edit parameterized configuration data on a node
group. This permission is inherited by all descendents of the node group. |
|
Node groups | Edit parameters and variables | Edit the class parameters and variables of a node group's
classes. This permission is inherited by all descendents of the node group. |
|
Node groups | Set environment | Set the environment of a node group. This permission is inherited by all descendents of the node group. |
|
Node groups | View | See all attributes of a node group, including the values
of class parameters and variables. This permission is inherited by all descendents of the node group. |
|
Nodes | Edit node data from PuppetDB | Edit node data imported from PuppetDB. Object must always be
|
Administrators |
Nodes | View node data from PuppetDB | View node data imported from PuppetDB. Object must always be
|
Administrators |
Nodes | View sensitive connection information in inventory service | View sensitive parameters stored in the inventory service
for a connection, such as user credentials. Object must always be
|
Administrators |
Nodes | Add and delete connection information from inventory service | Add new connections to the inventory service and delete existing connections. | Administrators |
Plans | Run plans | Run specific plans on all nodes. | Administrators |
Projects | Deploy projects | Not used. |
|
Projects | Run tasks and plans from projects | Not used. |
|
Puppet agent | Run Puppet on agent nodes | Trigger a Puppet run from
the console or orchestrator. Object must always be
|
|
Puppet environment | Deploy code | Deploy code to a specific PE environment. |
|
Puppet Server | Compile catalogs for remote nodes | Compile a catalog for any node managed by this PE instance. This permission is required to run impact analysis tasks in Continuous Delivery. |
Administrators |
Scheduled jobs | Delete another user's scheduled jobs | Delete scheduled jobs created by the user instance specified in the
permission. This can be granted per user. |
Administrators |
Tasks | Run tasks | Run specific tasks on all nodes, nodes in a selected node
group, or nodes matching a PQL query.
Important: A task must be permitted to run on all nodes in order to
run on nodes that are outside of the PuppetDB (over SSH or WinRM for example).
As a result, users with such permissions can run tasks on any nodes they
have the credentials to access.
|
Administrators |
User groups | Delete | Delete a user group. This can be granted per group. |
Administrators |
User groups | Import | Import groups from the directory service for use in
RBAC. Object must always be |
Administrators |
User roles | Create | Create new roles. Object must always be
|
Administrators |
User roles | Edit | Edit and delete a role. Object must always be
|
Administrators |
User roles | Edit members | Change which users and groups a role is assigned
to. This can be granted per role. |
Administrators |
Users | Create | Create new local users. Object must always be
Tip: This permission is for local
users. Remote users are "created" when that user authenticates for the
first time with RBAC.
|
Administrators |
Users | Edit | Edit local user data (such as names or email addresses)
and delete local or remote users from PE. This can be granted per user. |
Administrators |
Users | Reset password | Grant password reset tokens to users who have forgotten
their passwords. Granting a password reset token also reinstates a user who has been revoked. This can be granted per user. |
Administrators |
Users | Revoke | Revoke or disable a user, so the user can no longer
authenticate and use the console, node classifier, or RBAC API. This permission also includes the ability to revoke a user's authentication tokens. This can be granted per user. |
Administrators |
Display names and system names
Each type and permission has a display name and a system name. The display name is the name you see in the PE console. The system name is the name used with the RBAC API. This table provides the display name and system name for each type and corresponding permissions. Types are listed multiple times if there are multiple permissions associated with that type.
Type display name | Type system name | Permission display name | Permission system name |
---|---|---|---|
Certificate requests | cert_requests | Accept and reject | accept_reject |
Configuration | configuration | View | view |
Configuration | configuration | Edit | edit |
Console | console_page | View | view |
Directory service | directory_service | View, edit, and test | edit |
Job orchestrator | orchestrator | Start, stop and view jobs | view |
Node groups | node_groups | Create, edit, and delete child groups | modify_children |
Node groups | node_groups | Edit child group rules | edit_child_rules |
Node groups | node_groups | Edit classes, parameters, and variables | edit_classification |
Node groups | node_groups | Edit configuration data | edit_config_data |
Node groups | node_groups | Edit parameters and variables | edit_params_and_vars |
Node groups | node_groups | Set environment | set_environment |
Node groups | node_groups | View | view |
Nodes | nodes | Edit node data from PuppetDB | edit_data |
Nodes | nodes | View node data from PuppetDB | view_data |
Nodes | nodes | View sensitive connection information in inventory service | view_inventory_sensitive |
Plans | plans | Run Plans | run |
Puppet agent | puppet_agent | Run Puppet on agent nodes | run |
Puppet environment | environment | Deploy code | deploy_code |
Puppet Server | puppetserver | Compile catalogs for remote nodes | compile_catalogs |
Tasks | tasks | Run Tasks | run |
User groups | user_groups | Import | import |
User roles | user_roles | Create | create |
User roles | user_roles | Edit | edit |
User roles | user_roles | Edit members | edit_members |
Users | users | Create | create |
Users | users | Edit | edit |
Users | users | Reset password | reset_password |
Users | users | Revoke | disable |
Working with node group permissions
Node groups in the node classifier are structured hierarchically; therefore, node group permissions are inherited. Users with specific permissions on a node group implicitly receive those permissions on any child groups below that node group in the hierarchy.
Two types of permissions affect a node group: those that affect a group itself, and those
that affect the group's child groups. For example, giving a user the Set environment
permission on a node group allows the user
to set the environment for that node group and all of the node group's children.
However, assigning Edit child group rules
to a node
group allows a user to edit the rules for any child group of a specified node group, but
not for the node group itself. This allows some users to edit aspects of a parent node
group, while other users can be given permissions to modify the group's children without
being able to affect the parent group.
Due to the hierarchical nature of node groups, if a user is given a permission on the
default node group (All nodes), this is functionally equivalent
to giving them that permission on all objects of the node group type
("*"
).
Best practices for assigning permissions
Working with user permissions requires delicacy. You don't want to unintentionally escalate users' roles by granting them excessive permissions, but you also don't want to hamper them in their day-to-day duties. The following sections describe some strategies and requirements for setting permissions in Puppet Enterprise (PE).
Grant edit
permissions to users with create
permissions
Creating objects doesn't automatically grant the creator permission to view those objects. Therefore, users who have permission to create an object (such as roles) must also be given permission to edit the same object. Otherwise, they can't see the object they create. When you grant permission to create an object, we recommend that you also grant permission to edit all objects of the type that they have permission to create.
Type | Permission | Object |
---|---|---|
User roles | Create | A specific object or all objects of this type
("*" ) |
User roles | Edit | All (or "*" ) |
Edit members
permission for all objects ("*"
).Type | Permission | Object |
---|---|---|
Users | Create | A specific object or all objects of this type
("*" ) |
Users | Edit | All (or "*" ) |
Least-privilege model: Avoid overly-permissive permissions
Operators, one of the default PE roles, have many of the same permissions as Administrators. However, we've intentionally limited this role's ability to edit user roles. This way, users with the Operators role can do many of the same things as Administrators, but they can't edit (or enhance) their own permissions.
Similarly, when you're editing permission or creating your own roles, avoid granting users more
permissions than necessary. For example, if users have the
roles:edit:*
permission, this allows them to add the
node_groups:view:*
permission to the roles they belong to, and,
subsequently, see all node groups. Take care that permissions you've granted don't
have the potential to allow a user to view or change something you don't want them
to view or change.
Grant edit directory service
permissions sparingly
The directory service password is not redacted when a user requests directory service settings
through the RBAC API. Make sure the directory_service:edit:*
permission is only granted to users who are allowed see the directory service
password and other settings.
Grant reset password
permissions along with other password
permissions
The users:reset_password:<INSTANCE>
permission allows a user to issue a
password reset token to a user who forgot their password. However, this permission
also reinstates revoked users when the password reset token is used. Therefore, make
sure the users you allow to reset passwords are also allowed to revoke and reinstate
users. Otherwise, you might have unauthorized users reinstating revoked users.