RBAC - possible to limit a user to creating hosts/vms only in specific subnets/domains?

How granular can you go with the RBAC rules?

In the filters, what is the organization? is that more of a katello thing?
I can see default org for puppet, but not sure how that helps/relates to
the rbac filter.

A bit more info about organizations and locations:
Wiki page
<LocationsAndOrganizations - Foreman> (a
bit outdated, but the concept is still valid)
Deep dive <https://www.youtube.com/watch?v=D4cON77hmnI> (It's a bit
technical, but the first part explains the feature)
Every user can have permissions to one or more organizations, and every
resource (subnet, domain) can belong to one or more organizations. The same
goes for locations.

So a user can use resources like domains and subnets only if the resource
is available to the same organization as the user.

Can you please tell us more about your use case, so we can see what is the
best solution for you?

Thanks,
Shim.

··· On Monday, February 15, 2016 at 7:36:59 PM UTC+2, Byron Miller wrote: > > How granular can you go with the RBAC rules? > > In the filters, what is the organization? is that more of a katello thing? > I can see default org for puppet, but not sure how that helps/relates to > the rbac filter. >

Shim,

Thanks for the reply. I'm looking at killing of vrealize and trying to give
one or two my vRA customers similar ability to spinup infrastructure
through foreman… I'll check out the deep dive video and wiki page and try
and see what is currently available.

Mostly just trying to fence a specific group to see if we can let them
spinup/destroy vms and not have them have full access to everything else.
I trust the dudes, but need to cover my butt :slight_smile:

··· On Wednesday, February 17, 2016 at 6:46:14 AM UTC-6, ssh...@redhat.com wrote: > > > A bit more info about organizations and locations: > Wiki page > (a > bit outdated, but the concept is still valid) > Deep dive (It's a bit > technical, but the first part explains the feature) > Every user can have permissions to one or more organizations, and every > resource (subnet, domain) can belong to one or more organizations. The same > goes for locations. > > So a user can use resources like domains and subnets only if the resource > is available to the same organization as the user. > > Can you please tell us more about your use case, so we can see what is the > best solution for you? > > Thanks, > Shim. > > > > > On Monday, February 15, 2016 at 7:36:59 PM UTC+2, Byron Miller wrote: >> >> How granular can you go with the RBAC rules? >> >> In the filters, what is the organization? is that more of a katello >> thing? I can see default org for puppet, but not sure how that >> helps/relates to the rbac filter. >> >

That's pretty much exactly the usecase for Organizations - multitenant
setups with isolation. Some things are shared across Orgs, so test it
first, but in general what you want should be possible.

··· On 22 February 2016 at 04:33, Byron Miller wrote:

Shim,

Thanks for the reply. I’m looking at killing of vrealize and trying to
give one or two my vRA customers similar ability to spinup infrastructure
through foreman… I’ll check out the deep dive video and wiki page and try
and see what is currently available.

Mostly just trying to fence a specific group to see if we can let them
spinup/destroy vms and not have them have full access to everything else.
I trust the dudes, but need to cover my butt :slight_smile: