User Class Management
User Class Management
Overview
User Class Management allows Runbook Automation customers to assign users to User Classes which act as a super-set of ACL enforcement and licensing seat management. Each class enforces a pre-set collection of restrictions across all customer defined projects. The Class Management module included as part of the User Management features will allow customers to assign users to classes to fit their use cases.
User Classes
User Classes act as a super set of ACLs. Rundeck uses a lowest privilege model. These ACLs will allow a certain level of access “at the most”, and customers can apply customized ACLs to further refine access.
Full User
This User Class allows full access to the Runbook Automation environment.
Job Runner
This User Class, when assigned, will allow a user to run jobs and view output on all projects. They can not modify jobs or other resources.
Note: Not all licenses include the Job Runner. Please contact your customer support manager for information.
Default Class Assignment
By default users are assigned to the Full User class. This is configurable for OnPrem installations if customers would like to assign a different class by adding the following entry to the Configuration Management UI.
rundeck.license.entitlements.userClass.autoAssignUserClass
Possible values are: [FullUser | JobRunner | None]
If the setting is not present FullUser
is used for OnPrem installations, AppAdmin
is used for Cloud.
Note: “None” would represent no access to anything in Runbook Automation. The user could login but would have access to nothing. This is not an assignable class today and will not show up in the management UI. It is only available for default assignment.
Warning
This is not available in the Cloud offering.
Assigning Classes
To assign a class to a user:
- Login to Runbook Automation as an admin equivalent account.
- Open the System Menu (gear icon) and select User Manager
- Select the User Classes Tab
- Click Assign a New User
- Type in the username and select the Class from the Choose User Class button.
Note: It is possible to assign users to classes before they have been created as a user or logged in. The initial release is a free form text field. There is no validation on the user name field in the initial release.
The “Bulk Assign” button can be used on any existing users by selecting them with the check box next to the accounts and choosing the role to assign.
Reporting
There is also a new section in the System Report (OnPrem Only) Diagnostics page called “User Class Usage Audit”.
Metrics included are as follows:
- FullUser.login.count: Count of User Logins for class FullUser in the time period.
- JobRunner.login.count: Count of User Logins for class JobRunner in the time period.
- JobRunner.login.unique.count: Count of Unique User Logins for class JobRunner in the time period.
- FullUser.login.unique.count: Count of Unique User Logins for class FullUser in the time period.
- FullUser.assigned.current: Current Count of User Class assignments for FullUser.
- JobRunner.assigned.current: Current Count of User Class assignments for JobRunner.
- JobRunner.assigned.max: Max Count of User Class assignments for JobRunner.
- FullUser.assigned.max: Max Count of User Class assignments for FullUser.
- FullUser.mapping.current: Current Mappings for FullUser. (shown as array of usernames)
This section is also included in the Export Report and may be asked for as part of licensing validation.
Licensing
The User Classes are enabled on and entitled through an updated license model that includes “entitlements”. In the graphic shown above the license has been generated with entitlements for (10) Full Users, (10) Job Runners.