Are there any API users who could suggest some least privilege role
definitions for access to Foreman's API from remote systems?
I'm not entirely clear on how UI permissions relate to API permissions, if
at all. I would like to build two API user roles, one which can read
almost any information that the API provides and another which could modify
parameters at host/hostgroup levels, and perhaps more.
One use case is use the API to manage Nagios Contacts, ContactGroups, and
HostGroups in a way that mirrors Foreman's information on host owner, the
owner's User Group, and host's Hostgroup(s). The groups are not well
suited to be developed out of stored_configs in Puppet, since exporting a
contact group resource on each host based on it's owner's group or host
group will lead to duplicate resource issues.