Skip to content

docs(role_team_assignment): correct Team Admin support notes and upda… #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AAYUSH2091 wants to merge 14 commits into
base: devel
Choose a base branch
from
Open

docs(role_team_assignment): correct Team Admin support notes and upda… #101

Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
57786d4
docs(role_team_assignment): correct Team Admin support notes and upda…
Dec 17, 2025
fdf2ad2
Merge branch 'devel' into docs/role-team-assignment-rbac-limitations
AAYUSH2091 Dec 17, 2025
e5eef00
ACA-4532: docs(role_team_assignment): correct Team Admin support note…
Dec 17, 2025
1a47cc4
fix_lint
Dec 17, 2025
912b292
fix_lint_error
Dec 17, 2025
9e636d4
lint_fix
Dec 17, 2025
3cf8504
lint_fix
Dec 17, 2025
2d81ff1
lint_fix
Dec 17, 2025
31121ef
Delete tests/output/bot/ansible-test-sanity-pep8.json
AAYUSH2091 Dec 17, 2025
5b4c6f3
added_notes_minor_changes
Jan 8, 2026
d87a0ad
Delete plugins/plugin_utils/platform/auth.py
AAYUSH2091 Jan 8, 2026
3e0e22b
Merge branch 'devel' into docs/role-team-assignment-rbac-limitations
AAYUSH2091 Jan 8, 2026
b95bd06
fixed_lint_error
Jan 8, 2026
9003bba
Delete tests/output/bot/ansible-test-sanity-pep8.json
AAYUSH2091 Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 72 additions & 5 deletions plugins/modules/role_team_assignment.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,15 @@
notes:
- This module is subject to limitations of the RBAC system in AAP 2.6.
- Global roles (e.g. Platform Auditor) cannot be assigned to teams.
- Team roles cannot be assigned to another team (Team Admin → Team is not supported).
- Organization Member role cannot be assigned to teams.
- Only resource-scoped organization roles (e.g. "Organization Inventory Admin", "Organization Credential Admin") can be meaningfully assigned to teams.
- Attempting unsupported role assignments will result in errors.
- The ansible.platform RBAC modules currently perform role assignments via the AAP Gateway unified RBAC APIs.
- As a result, team-scoped role assignments are limited to what is supported by Gateway API today.
- Component-specific APIs (Controller, Hub, EDA) expose different RBAC semantics and are not yet supported for these operations
within ansible.platform role_team_assignment module.
- This reflects current public API capabilities, not a limitation of the module design.
- Support for additional APIs may be introduced as RBAC capabilities converge across services.
options:
assignment_objects:
description:
Expand Down Expand Up @@ -80,7 +85,39 @@


EXAMPLES = '''
- name: Assign roles for multiple objects using names
# SUCCESSFUL SCENARIOS - These work correctly with supported roles

- name: Assign Organization Inventory Admin role to a team
ansible.platform.role_team_assignment:
assignment_objects:
- name: "{{ organization.name }}"
type: "organizations"
role_definition: Organization Inventory Admin
team: "{{ team.name }}"
state: present
register: result

- name: Assign Organization Credential Admin role to a team
ansible.platform.role_team_assignment:
assignment_objects:
- name: "{{ organization.name }}"
type: "organizations"
role_definition: Organization Credential Admin
team: "{{ team.name }}"
state: present
register: result

- name: Assign Team Admin role to a team
ansible.platform.role_team_assignment:
assignment_objects:
- name: "{{ organization.name }}"
type: "organizations"
role_definition: Team Admin
team: "{{ team.name }}"
state: present
register: result

- name: Assign roles for multiple organizations using names
ansible.platform.role_team_assignment:
assignment_objects:
- name: "{{ org1.name }}"
Expand Down Expand Up @@ -111,7 +148,7 @@
- object_ansible_id: "c891b9f7-cc08-4b62-9843-c9ebfda362a8"
role_definition: Organization Inventory Admin
state: present
register: result
register: result

- name: Check Role Team assignment exists
ansible.platform.role_team_assignment:
Expand All @@ -120,7 +157,7 @@
- object_ansible_id: "c891b9f7-cc08-4b62-9843-c9ebfda362a8"
role_definition: Organization Inventory Admin
state: exists
register: result
register: result

- name: Role Team assignment
ansible.platform.role_team_assignment:
Expand All @@ -129,10 +166,40 @@
- object_ansible_id: "c891b9f7-cc08-4b62-9843-c9ebfda362a8"
role_definition: Organization Inventory Admin
state: absent
register: result
register: result

# FAILED SCENARIOS - These demonstrate unsupported role assignments that will fail

- name: Attempt to assign Platform Auditor role to a team (WILL FAIL)
ansible.platform.role_team_assignment:
assignment_objects:
- name: "{{ organization.name }}"
type: "organizations"
role_definition: Platform Auditor
team: "{{ team.name }}"
state: present
register: result
ignore_errors: true
# Error: Teams can only be assigned roles where all permissions are for the 'galaxy' service.
# Role 'Platform Auditor' has non-galaxy permissions from EDA and Controller services.
# This is expected and will fail.

- name: Attempt to assign Organization Member role to a team (WILL FAIL)
ansible.platform.role_team_assignment:
assignment_objects:
- name: "org1"
type: "organizations"
role_definition: Organization Member
team: "akash"
state: present
register: result
ignore_errors: true
# Error: "Assigning organization member permission to teams is not allowed"
# This is expected and will fail.
...
'''


from ..module_utils.aap_module import AAPModule


Expand Down
Loading