Creating and managing local users and user roles

Role-based access control (RBAC) in Puppet Enterprise (PE) lets you to manage users—what they can and can't create, edit, or view—in an organized, high-level way that is more efficient than managing user permissions on a per-user basis. User roles are sets of permissions you can apply to multiple users. You can't assign permissions directly to users in PE, only to user roles. You then assign roles to users.

In addition to user records that you create, PE includes two default user records:

Administrator: A user that has the Administrator role applied by default. This means this user has every permission. You can revoke the Administrator user in situations where users are managed through a directory service, like LDAP.
API User: Used for service-to-service authentication within PE. You can't use it with the standard login, and you can't revoke it. It is only available through certificate-based authentication. The RBAC allow list identifies the certificates (by certname) that you can use for API User authentication.

All user records you create must be assigned to one or more roles before they can log in and use PE.

Puppet stores local accounts and directory service integration credentials securely. Local account passwords are hashed using SHA-256 multiple times, along with a 32-bit salt. To update the algorithm to argon2id (only for non-FIPS enabled systems) or to configure password algorithm parameters, refer to Configure the password algorithm. Directory service lookup credentials configured for directory lookup purposes are encrypted using AES-128. Puppet does not store the directory credentials used for authenticating to Puppet. These are different from the directory service lookup credentials.