Creating and managing local users and user roles

Role-based access control (RBAC) in Puppet Enterprise (PE) lets you to manage users—what they can and can't create, edit, or view—in an organized, high-level way that is more efficient than managing user permissions on a per-user basis. User roles are sets of permissions you can apply to multiple users. You can't assign permissions directly to users in PE, only to user roles. You then assign roles to users.

In addition to user records that you create, PE includes two default user records:
  • Administrator: A user that has the Administrator role applied by default. This means this user has every permission. You can revoke the Administrator user in situations where users are managed through a directory service, like LDAP.
  • API User: Used for service-to-service authentication within PE. You can't use it with the standard login, and you can't revoke it. It is only available through certificate-based authentication. The RBAC allow list identifies the certificates (by certname) that you can use for API User authentication.
Remember: All user records you create must be assigned to one or more roles before they can log in and use PE.
Note: Puppet stores local accounts and directory service integration credentials securely. Local account passwords are hashed using SHA-256 multiple times, along with a 32-bit salt. To update the algorithm to argon2id (only for non-FIPS enabled systems) or to configure password algorithm parameters, refer to Configure the password algorithm. Directory service lookup credentials configured for directory lookup purposes are encrypted using AES-128. Puppet does not store the directory credentials used for authenticating to Puppet. These are different from the directory service lookup credentials.

Create a user

These steps add a local user.

To add users from an external directory, see Working with user groups from an external directory.
  1. In the console, on the Access control page, click the Users tab.
  2. In the Full name field, enter the user's full name.
  3. In the Login field, enter a user name for the user.
  4. Click Add local user.

Give a user access to the PE console

When you create local users, you need to send them a password reset token that allows them to log in to PE for the first time.

  1. On the Access control page, on the Users tab, select the user's full name.
  2. Click Generate password reset.
  3. Copy the link provided in the message and send it to the new user.

Create a user role

Puppet Enterprise (PE) includes five default roles. You can also create your own roles.

For information about the five default roles, refer to User permissions and user roles.

Users with the appropriate permissions, such as Administrators, can create custom roles. To avoid unintentional privilege escalation, make sure the only users who can edit user roles are those who have all permissions (meaning Administrators). For more information, refer to Best practices for assigning permissions.

  1. In the console, on the Access control page, click the User roles tab.
  2. In the Name field, enter a name for the new user role.
  3. Optional: In the Description field, enter a description of the new user role.
  4. Click Add role.

Assign permissions to a user role

You can mix and match permissions to create custom user roles that provide users with precise access to Puppet Enterprise (PE) actions.

Before you begin
Review User permissions and user roles for important information about how permissions work in PE.
  1. On the Access control page, on the User roles tab, select a user role.
  2. Click Permissions.
  3. In the Type field, select the type of object you want to assign permissions for, such as Node groups.
  4. In the Permission field, select the permission you want to assign, such as View.
  5. In the Object field, select the specific object you want to assign the permission to. For example, if you are setting a permission to view node groups, select a specific node group this user role has permissions to view.
  6. Click Add permission, and commit changes.

Add a user to a user role

When you add a user to a role, the user gains the permissions you assign to that role. A user can't do anything in PE until they have been assigned to at least one role. If users are assigned to multiple roles, they get all permissions from all roles they are assigned to.

  1. On the Access control page, on the User roles tab, select a user role.
  2. Click Member users.
  3. In the User name field, select the user you want to add to the user role.
  4. Click Add user, and commit changes.

Remove a user from a user role

When you remove a user from a role, the user loses the permissions associated with that role. If you remove all roles from a user, the user can't do anything in PE until they are assigned to at least one role.

  1. On the Access control page, on the User roles tab, select a user role.
  2. Click Member users.
  3. Locate the user you want to remove from the user role. Click Remove, and commit changes.

Revoke or reinstate user access

If you want to stop a user from accessing PE without deleting their account, you can revoke the user. Users are automatically revoked if they have too many incorrect password attempts. This is also referred to as locking a user's account. You can use these steps to revoke users or reinstate revoked users.

  1. In the console, on the Access control page, click the Users tab.
  2. In the Full name column, select the user you want to revoke.
  3. Click Revoke user access.
    Tip: To reinstate a revoked a user, click Reinstate user access.

Change account expiration settings

You can specify the number of days before an inactive user's account is automatically revoked. You can also specify how often Puppet Enterprise (PE) checks for idle user accounts.

rbac_account_expiry_days

The rbac_account_expiry_days parameter is a positive integer specifying the duration, in days, before an inactive user account expires. If a user (who isn't a superuser) doesn't log in to the PE console at least once during the specified period, their user's access is automatically revoked.

The default value is undefined, meaning no expiration limit. To activate this setting in the console, specify a value of 1 or greater for the rbac_account_expiry_days parameter in the puppet_enterprise::profile::console class of the PE Infrastructure node group. The value corresponds to the number of days an account can be idle before being revoked. For example, 30 would be 30 days.

Important: If the account_expiry_days parameter is not specified, or has a value of less than 1, the account_expiry_check_minutes parameter is ignored.

rbac_account_expiry_check_minutes

The rbac_account_expiry_check_minutes parameter is a positive integer that specifies how often, in minutes, PE checks for idle user accounts. The default value is 60 minutes.

To change this setting in the console, set a value (representing a number of minutes) of the rbac_account_expiry_check_minutes parameter in the puppet_enterprise::profile::console class of the PE Infrastructure group.

Delete a user

You can delete a user through the Puppet Enterprise (PE) console. This deletes only the user's PE account. It does not delete the user's listing in any external directory service.

Deletion removes all data about the user except for their activity data, which continues to be stored in the database and remains viewable through the Activity service API.
Tip: If you delete a user and then create a user with the same full name and login, PE issues a new user ID for the new user record. When this happens, requests to the Activity service API about this ID return information from both the deleted user record and the new user record. However, in the PE console, the new user record's Activity tab does not display information about the deleted user's account.
  1. In the console, on the Access control page, click the Users tab.
  2. In the Full name column, locate the user you want to delete.
  3. Click Remove.
    You can't delete users with superuser privileges. The Remove button is not available when viewing these users.

Delete a user role

You can delete a user role through the Puppet Enterprise (PE) console.

When you delete a user role, any users assigned to that role and no longer assigned to it. Therefore, those users lose the permissions that the role gave them. This can impact their access to PE if they are not assigned other roles.
  1. In the console, on the Access control page, click the User roles tab.
  2. In the Name column, locate the role you want to delete.
  3. Click Remove.