ISSUE TYPE
- Bug Report
SUMMARY
In Ansible Tower 3.5.x and later versions, when users are added to a team, there is no UI component/option to set users as team admin. However, calling API could still assign users with team admin roles (POST /api/v2/users/id/roles/).
Is there any option to assign user with team admin role via UI? Is the team admin role deprecated?
ENVIRONMENT
- AWX version: 3.5.1
- AWX install method: High Availability Multi-Machine Cluster
- Ansible version: 2.7.5
- Operating System: RHEL
- Web Browser: Chrome
STEPS TO REPRODUCE
- Login to Ansible Tower as system admin
- Goes to Team pages
- Select a team and open Team details
- In the User tab, click the button 'Add User' to add a new user into the team
EXPECTED RESULTS
When adding the user, it should be an option to add a user with the team admin role.
ACTUAL RESULTS
No option to add a user with the team admin role
ADDITIONAL INFORMATION
In the official user guide of Ansible Tower 3.5.x and later versions (https://docs.ansible.com/ansible-tower/latest/html/userguide/teams.html#add-a-user), the example picture doesn't show there is an option to add a user with team admin roles.
However, in earlier docs (https://docs.ansible.com/ansible-tower/3.4.1/html/userguide/teams.html#add-a-user), the example picture still had that option
DinMouMou
All 4 comments
It's an option, but team admin only lets you add/remove users from the team. Is this a permission you need to use in practice outside of the org admin doing it?
wenottingham
on 30 Jan 2020
@wenottingham We had the option to add a user to team as team admin via UI. Now it is removed without mentioned in the release note (or perhaps I missed it). Some of our tower users asked about the change (they cannot add team admin), which is why I submit this request.
If this change is desired, could we know the consideration behind this change?
DinMouMou
on 31 Jan 2020
Mostly just that it's not a useful permission in practice. We had more confusion by users who thought it provided org-admin like privileges at a team level.
wenottingham
on 3 Feb 2020
I'd like to reopen such discussions.
Having USER/ADMIN permissions at a team level allows using Teams for self-service user management. i.e. this permits us handing over user management to just a small group of admins.
Perhaps this role can be named "TEAM ADMIN" to avoid confusion.
We needed self-service user management for some automation automation we built on top of Tower. Lacking this feature in Tower we had to hook up a rather ugly system that in our case pulled users dynamically from an LDAP group (internally: Rover) and add/remove these users individually from Tower assets (like a template). This was because our LDAP-backed system has this USER/ADMIN model while Tower teams do not. Admins still need to access an external UI to perform this user management.
@fpob
amarza-rh
on 10 Feb 2020
Related issues
IshwarKanse
路
3Comments
mwiora
路
3Comments
IMOKURI
路
3Comments
cs35-owncloud
路
3Comments
astraios
路
3Comments
Most helpful comment
I'd like to reopen such discussions.
Having USER/ADMIN permissions at a team level allows using Teams for self-service user management. i.e. this permits us handing over user management to just a small group of admins.
Perhaps this role can be named "TEAM ADMIN" to avoid confusion.
We needed self-service user management for some automation automation we built on top of Tower. Lacking this feature in Tower we had to hook up a rather ugly system that in our case pulled users dynamically from an LDAP group (internally: Rover) and add/remove these users individually from Tower assets (like a template). This was because our LDAP-backed system has this USER/ADMIN model while Tower teams do not. Admins still need to access an external UI to perform this user management.
@fpob