AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Centralized RBAC with the Gateway API in AAP 2.6

By Luca Berton · Published 2024-01-01 · Category: installation

How AAP 2.6 centralizes role-based access control (RBAC) through the platform gateway API for unified identity and access management.

Centralized RBAC with the Gateway API in AAP 2.6

Introduction

AAP 2.6 centralizes role-based access control (RBAC) through the platform gateway API, providing a single point for managing users, teams, roles, and permissions across all platform components.

See also: Security Best Practices for Ansible Automation Platform 2.6

Why Centralized RBAC Matters

In previous versions, RBAC was managed separately for each component: • Automation Controller had its own roles and permissions • Automation Hub had separate access controls • Event-Driven Ansible managed its own users

This led to: • Inconsistent access policies across components • Administrative overhead managing multiple RBAC systems • Risk of permission drift between components

How Gateway RBAC Works

Unified Identity Management

The platform gateway serves as the central identity provider:

# All components now use a single authentication source
gateway:
  authentication:
    type: ldap  # or saml, oidc
    server: ldap://ldap.example.com
    base_dn: "dc=example,dc=com"

Centralized Role Definitions

Define roles once, apply everywhere:

# Example: Define a role with access across components
roles:
  - name: "Automation Operator"
    permissions:
      controller:
        - view_job_template
        - execute_job_template
      hub:
        - view_collection
        - download_collection
      eda:
        - view_rulebook
        - enable_rulebook

Standardized API

The ansible.platform collection uses the Gateway API for configuration-as-code:

- name: Create team with RBAC
  ansible.platform.team:
    name: "Network Automation"
    organization: "IT Operations"
    roles:
      - "Automation Operator"
    state: present

See also: Integrating HashiCorp Vault with Event-Driven Ansible in AAP 2.6

Migration from Component-Level RBAC

When upgrading to AAP 2.6, the installer automatically: Migrates users from controller to gateway Preserves team memberships and role assignments Maps component-level permissions to gateway roles Maintains administrator privileges

Best Practices

Audit before upgrading — Review existing RBAC across all components Standardize roles — Define consistent roles that apply across the platform Use configuration-as-code — Manage RBAC through the ansible.platform collection Regular reviews — Schedule periodic access reviews

See also: AAP 2.6 Multi-Tenancy: Organizations, Teams, and RBAC at Scale

Conclusion

Centralized RBAC through the gateway API simplifies administration and improves security posture. It's one of the most impactful architectural improvements in the AAP 2.x series.

For more Ansible tutorials and guides, explore the complete article collection on Ansible Pilot.

Related Articles

dynamic config with Ansible templaterole dependencies in Ansible

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home