User permissions and user roles
The role in role-based access control (RBAC) refers to a system of user roles, which are assigned to user groups and the users in those groups. Those roles contain permissions, which define what a user with that role can or can't do within Puppet Enterprise (PE).
When users are added to PE, they don't have permission to do anything until they are associated with a user role, either by direct role assignment or by inheriting roles from group membership. When a user is assigned to a role (or inherits a role from a group), they receive all the permissions from that role. If a user is associated with multiple roles, the user is able to perform all actions described by all permissions received from all of their assigned roles.
There are five default user roles:
Can manage users and permissions, create and modify node groups and other objects.
Administrators have all permissions assigned to them by default.
Can create and modify node groups and other objects.
Can view, but can't modify, objects in the console.
Can synchronize code from version control systems to Puppet Server.
Can deploy projects and run project tasks and plans.
You can also create custom roles. For example, you might want to create a user role that grants users permission to view but not edit a specific subset of node groups. Or you might want to divide up administrative privileges so that one user role is able to reset passwords while another can edit roles and create users.
Related information
