Roles

Overview

Chef Automate Identity and Access Management roles are named groups of actions used to define policies. Actions describe what is allowed by users in Automate. IAM Actions describes the associated action or actions required to access certain pages in the browser.

Users require permission for the iam:roles action to interact with roles. Any user that is part of the admins team or the Administrator policy will have this permission. Otherwise, IAM custom policies can be created to assign this permission.

Chef-Managed Roles

Chef-managed roles are roles provided by Chef that cannot be changed.

Role Description
Viewer View everything in the system except IAM
Editor Do everything in the system except IAM and license application
Owner Do everything in the system including IAM
Project Owner Editor + view and assign projects
Ingest Ingest data into the system

Actions for Chef-Managed Roles

Name ID Actions
Owner owner *
Project Owner project-owner infra:nodes:*, infra:nodeManagers:*, compliance:*, event:*, ingest:*, secrets:*, iam:projects:list, iam:projects:get, iam:projects:assign, iam:policies:list, iam:policies:get, iam:policyMembers:*, iam:teams:list, iam:teams:get, iam:teamUsers:*, iam:users:get, iam:users:list, applications:*
Editor editor infra:infraServers:list, infra:infraServers:get, infra:nodes:*, infra:nodeManagers:*, compliance:*, event:*, ingest:*, secrets:*, iam:projects:list, iam:projects:get, iam:projects:assign, applications:*
Viewer viewer infra:infraServers:list, infra:infraServers:get, secrets:*:get, secrets:*:list, infra:nodes:get, infra:nodes:list, infra:nodeManagers:get, infra:nodeManagers:list, compliance:*:get, compliance:*:list, event:*:get, event:*:list, ingest:*:get, ingest:*:list, iam:projects:list, iam:projects:get, applications:*:get, applications:*:list
Ingest ingest infra:ingest:*, compliance:profiles:get, compliance:profiles:list

Custom Roles

Custom roles are roles that any user with the permission for iam:roles:update can change. In addition to the Chef-managed roles above, Chef Automate includes two custom roles by default.

Role Description
Compliance Viewer Viewer for compliance resources
Compliance Editor Editor for compliance resources

You can edit these custom roles like other user-created custom roles.

Managing Roles

Creating Roles

Custom roles can only be created using the Roles API.

Example Custom Role

{
  "name": "Advocate",
  "id": "advocate-role",
  "actions": [
    "infra:*",
    "compliance:*",
    "teams:*",
    "users:*"
  ],
  "projects": [
    "east-region",
    "west-region"
  ]
}

Changing Role Details

For custom roles, use the Roles API to change the role name, actions list, and projects.

Deleting Roles

Navigate to Roles in the Settings tab. Then open the menu at the end of the table row and select Delete Role.