Ansible Automation Platform includes a powerful RBAC system that enables robust and highly customizable control over access. However, no matter how robust and customizable our RBAC system is, there will be unique needs required by customers.
For example, Ansible Automation Controller allows you to create a credential that does not belong to any organization, and this credential can be assigned to used by any user. For some organizations, these global credentials that can be used by any user present a security risk or compliance concern in environments with strict boundaries.
Currently, there is no method within our RBAC system to prevent the use of these global credentials within a specific organization, but with Policy Enforcement we can restrict access with ease.
Example Policy aap_policy_examples/global_credential_allowed_false.rego
The following policy identifies and blocks the use of credentials that do not belong to any Organization:
package aap_policy_examples
# Find credentials with no organization
violating_credentials := {cred.name | cred := input.credentials[_]; cred.organization == null}
default global_credential_allowed_false := {
"allowed": true,
"violations": [],
}
# If any credential is violating, deny access and return violations
global_credential_allowed_false := {
"allowed": false,
"violations": [sprintf("Credential used in job execution does not belong to any org. Violating credentials: [%s]", [concat(", ", violating_credentials)])],
} if {
count(violating_credentials) > 0
}{
"credential": [
{
"name": "Demo Credential",
"description": "",
"organization": null,
"credential_type": 1,
"managed": false,
"inputs": {
"username": "admin"
}
}
]
}{
"allowed": false,
"violations": [
"Credential used in job execution does not belong to any org"
]
}When this policy is applied to a Job Template, it prevents job execution for that organization if any unscoped (global) credentials with no ties to any organization are used.
- ✅ Credentials tied to the Organization: Allowed
- 🚫 Credentials with
organization: null: Blocked/ERROR
Jobs using a violating credential will immediately ERROR, and the playbook will not run.
An enterprise uses Ansible Automation Platform to manage automation across multiple internal teams, each represented by a separate Organization within the platform. For example:
Infrastructure TeamSecurity TeamDevOps Team
Each team operates independently, with its own credentials, inventories, and job templates. RBAC ensures users can only see resources tied to their Organization.
However, during a security review, the platform team discovers that several credentials were created without an assigned Organization (organization: null). These global credentials are not restricted by RBAC and could be used across any Organization if referenced by a job template or workflow.
To eliminate this risk, the platform engineering team enforces a Policy Enforcement rule that blocks job execution when unscoped (global) credentials are detected. This ensures that all credentials must be explicitly assigned to an Organization in order to be used in automation jobs.
When the policy is applied:
- 🚫 Jobs referencing global credentials will error – preventing unauthorized use.
- ✅ Jobs using credentials tied to an organization continue to run – preserving normal automation flow for compliant configurations.
- ✅ Clear violation messages are surfaced – allowing teams to quickly identify and fix unscoped credentials.
This policy gives platform administrators confidence that no credential can bypass organization-level isolation, even if mistakenly created without an organization
- Security – Prevents accidental or unintended use of global credentials across boundaries that may not be privy to all organizations.
- Enforced Governance – Ensures credentials are owned and managed by the appropriate teams.
- Audit Readiness – Demonstrates credential ownership and scope compliance during audits.
- RBAC Enhancement – Fills a critical gap not covered by Ansible Automation Platform's built-in access control.