Structure of user permissions
User permissions are structured as a triple of type, permission, and object.
- Types: Any thing that can be acted on in Puppet Enterprise (PE), such as node groups, users, or user roles.
- Permissions: What you can do with each type, such as create, edit, or view.
- Objects: Specific instances of types.
For example, here are two sets of permission triples for the Administrators user role:
| Type | Permission | Object | Description |
|---|---|---|---|
| Node groups | View | PE Master | Gives permission to view the PE Master node group. |
| User roles | Edit | All | Gives permission to edit all user roles. |
When no object is specified, then the permission applies to all objects of the specified
type. In those cases, the object is All. This is denoted
by "*" in the RBAC API.
In both the console and the API, "*" is used to express a permission for which an object doesn’t make
sense, such as when creating users.
