Introduction

AAP 2.6 centralizes role-based access control (RBAC) through the platform gateway API, providing a single point for managing users, teams, roles, and permissions across all platform components.

Why Centralized RBAC Matters

In previous versions, RBAC was managed separately for each component:

  • Automation Controller had its own roles and permissions
  • Automation Hub had separate access controls
  • Event-Driven Ansible managed its own users

This led to:

  • Inconsistent access policies across components
  • Administrative overhead managing multiple RBAC systems
  • Risk of permission drift between components

How Gateway RBAC Works

Unified Identity Management

The platform gateway serves as the central identity provider:

``yaml

All components now use a single authentication source

gateway:

authentication:

type: ldap # or saml, oidc

server: ldap://ldap.example.com

base_dn: "dc=example,dc=com"

`

Centralized Role Definitions

Define roles once, apply everywhere:

`yaml

Example: Define a role with access across components

roles:

- name: "Automation Operator"

permissions:

controller:

- view_job_template

- execute_job_template

hub:

- view_collection

- download_collection

eda:

- view_rulebook

- enable_rulebook

`

Standardized API

The ansible.platform collection uses the Gateway API for configuration-as-code:

`yaml

  • name: Create team with RBAC

ansible.platform.team:

name: "Network Automation"

organization: "IT Operations"

roles:

- "Automation Operator"

state: present

`

Migration from Component-Level RBAC

When upgrading to AAP 2.6, the installer automatically:

1. Migrates users from controller to gateway

2. Preserves team memberships and role assignments

3. Maps component-level permissions to gateway roles

4. Maintains administrator privileges

Best Practices

1. Audit before upgrading — Review existing RBAC across all components

2. Standardize roles — Define consistent roles that apply across the platform

3. Use configuration-as-code — Manage RBAC through the ansible.platform` collection

4. Regular reviews — Schedule periodic access reviews

Conclusion

Centralized RBAC through the gateway API simplifies administration and improves security posture. It's one of the most impactful architectural improvements in the AAP 2.x series.

For more Ansible tutorials and guides, explore the [complete article collection](/articles) on Ansible Pilot.