Teams

This guide will show you how to manage Chef Automate teams. Import existing teams into Chef Automate with Microsoft AD (LDAP), generic LDAP or SAML.

You can create local Chef Automate teams that are independent of LDAP or SAML.Teams can be used for policy-based authorization.

Prerequisites

Before you follow these instructions, we recommend you install the JSON processor jq to ensure readable output. Without it, some commands may need to be modified.

You will need administrative access to interact with the teams API. An existing administrative user can provide that access.

To interact with the teams API using cURL, fetch an admin API token available from the chef-automate CLI, and set it to a usable variable:

export TOK=`chef-automate admin-token`

Teams

Creating Teams

Create a Team from Chef Automate

As an administrative user, you can create a team in the UI from the Settings tab. Select Teams in the sidebar then use the Add Team button:

Add Local Team

First, enter a unique name and description for the team. Save your new team:

Create Team

Upon creating the team, you’ll be taken to the new team’s details page:

Team Details

Add users to the new team:

Add Users

Now, you can create a new policy for your team. All members will now have additional access based on that new policy.

Create a Team using the Command Line with cURL

To create a Chef Automate team, you’ll need to provide a name and description. Team names must be unique.

curl -H "api-token: $TOK" -H "Content-Type: application/json" -d '{"name":"Team Name", "description":"My Chef Team"}' https://automate.example.com/api/v0/auth/teams | jq

Fetching Teams

You can fetch a team by its ID:

curl -H  "api-token: $TOK" https://automate.example.com/api/v0/auth/teams/{id} | jq

You can also fetch all teams, collectively:

curl -H "api-token: $TOK" https://automate.example.com/api/v0/auth/teams | jq

Updating Teams

To update a team, you must supply its name and description:

curl -X PUT -H "api-token: $TOK" -H "Content-Type: application/json" -d '{"name":"An Updated Team Name", "description": "An updated description"}' https://automate.example.com/api/v0/auth/teams/{ID} | jq

Deleting Teams

To delete a team, you must supply its ID:

curl -X DELETE -H "api-token: $TOK" -H "Content-Type: application/json" https://automate.example.com/api/v0/auth/teams/{ID}

Managing Chef Automate User and Team Associations

Viewing a User’s Teams

To view a user’s teams, you will need the user’s ID:

curl -H "api-token: $TOK" https://automate.example.com/api/v0/auth/users/{user_ID}/teams | jq

Viewing a Team’s Users

To view a team’s users, you will need the team’s ID. This returns JSON that contains an array of user IDs associated with the team:

curl -H "api-token: $TOK" https://automate.example.com/api/v0/auth/teams/{team_ID}/users | jq

Adding Users to a Team

To add users to a team, you will need both the team ID and the IDs of the users you will add:

curl -H "api-token: $TOK" -H "Content-Type: application/json" -d '{"user_ids":["userID", "secondUserID"]}' https://automate.example.com/api/v0/auth/teams/{team_ID}/users | jq

Removing Users from a Team

To remove users from a team, you will need both the team ID and the IDs of the users you will remove:

curl -X PUT -H "api-token: $TOK" -H "Content-Type: application/json" -d '{"id":"teamID", "user_ids":["userID", "secondUserID"]}' https://automate.example.com/api/v0/auth/teams/{team_ID}/users

Common Use Cases

Adding Users to the Admin Team

Adding users to the default admins team will give them full access to all endpoints in Chef Automate; they will be able to manage policies, users, teams, and integrations.

You may add users on the admins Team details page:

Add Users to Admins

You may also complete this operation from the command line.

  1. Fetch an admin API token available from the chef-automate CLI and set it to a usable variable:

    export TOK=`chef-automate admin-token`
    1. Get the admins team ID and set it to a usable variable:
    export ID=`curl -H "api-token: $TOK" https://automate.example.com/api/v0/auth/teams | jq -r '.teams[] | select(.name =="admins").id'`
  2. Confirm the user IDs for the user(s) you want to add to the admins team.

    ID of a single user:

    curl -H "api-token: $TOK" https://automate.example.com/api/v0/auth/users/{username} | jq .id

    Fetch all users (with IDs):

    curl -H "api-token: $TOK" -H "Content-Type: application/json" https://automate.example.com/api/v0/auth/users | jq
  3. Add the user(s) to the admins team:

    curl -H "api-token: $TOK" -H "Content-Type: application/json" -d '{"user_ids":["userID", "secondUserID]}' https://automate.example.com/api/v0/auth/teams/$ID/users | jq
    1. Verify that the user is a member of the team by listing all members of the admins team:
    curl -H "api-token: $TOK" -H "Content-Type: application/json" https://automate.example.com/api/v0/auth/teams/$ID/users | jq