Need to have switch to restrict ability to create local users on Ansible Tower #11416
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
ISSUE TYPE
SUMMARY
One of the Tower Security Best Practices (https://docs.ansible.com/ansible-tower/latest/html/administration/security_best_practices.html#id6) is to 'minimize local system access'. However there is no way to actually control this. Org admins have control to create new local users with no password complexity requirements.
This feature request is to enable system admins to restrict the ability of Org Admins to create local users. This could be a global switch to turn on or off the ability to create local user accounts, or to restrict this feature to System Admins.
The use case is that we may have many Tower Orgs for different teams and areas in our Organisation. Our Organisation maintains strict User Access Control definitions and local user accounts are prohibited. Due to the effort involved in maintaining RBAC across different teams we hand the Tower Organisation RBAC to each Tower Org themselves, but currently are not able to restrict the creation of local user accounts.
The text was updated successfully, but these errors were encountered: