Added docs for new RBAC changes

[tvo318]

SUMMARY

Added docs about the new DAC RBAC changes but kept the existing content for backward compatibility since the concepts and functionality still applies. We can keep adding to this when new stuff comes in, like UI changes.
Addresses issue #15048.
See rendered content here: https://ansible--15150.org.readthedocs.build/projects/awx/en/15150/userguide/rbac.html

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• Docs

AWX VERSION

latest

[AlanCoding]

The newly “add” permissions capability

Grammar of this is hard!

I would try to avoid using the "capability" word. Formally, there are new "add" permissions in the backend. This corresponds to the Django notion of permissions... meaning there is a literal Permission model in Django that this corresponds to. Users don't really need to know this, but that's a nuance of what I mean when I say "permission". These are model-specific, which affects my use of pluralization. You already got that, talking about the project add permission, for example. Here, I would try to phrase it like "New "add" permissions are a major highlight of this change"

[AlanCoding]

RBAC in general usually isn't object-specific. Some other apps do things backwards, where a role includes a list of object permissions. Whereas this new system (and the old system) has abstract roles (role definitions) which can give a user to an object. Some RBAC is kind of per-domain, which we accomplish by organization-level roles, which are object-roles with inheritance added.

I would start out saying that a role contains a list of permissions. There is a domain-ness to this, where organization-level roles can give you a permission (like update_project) to everything in that domain, which means all projects in that organizations.

[tvo318]

I tried my best to reword this in order to tie it back to the legacy RBAC model.

[AlanCoding]

Again I'd like to push back against "capabilities". A role list a list of permissions. The DAB RBAC system adds a constraint that it is type-specific, which is how we talk about job template admin_role in the old system. The names are renamed in the new system like for "Job Template Admin"

[tvo318]

Ok, just note, this section remained untouched as it is the old RBAC but I'll add your changes if that helps clarify the future RBAC.

[AlanCoding]

The DAB RBAC system actually explicitly ditches the "role hierarchy" system. It's actually really specific about this. The old system used the role hierarchy for everything, but the new system is different.

In DAB RABC, to spell it out, the "Project Admin" role doesn't need to exist for other organization-level roles to give permissions to a project. This is accomplished by the role permission list instead. So the organization admin role has project CRUD permissions (like change_project, delete_project) in its permission list. There is still somewhat of a hierarchy, but at the resource level, in that organizations are the parent object (RBAC-wise) of projects.

[tvo318]

The information about the new RBAC only exists in section 9.1 only. Section 9.2 pertains to only legacy RBAC stuff. I left them both in for those who still need reference to the old RBAC.

[vidyanambiar]

Looks great 🎉 Thanks, @tvo318!

I added a few comments.

[vidyanambiar]

This is not a message from the API, it is an example of what we should be sending as the payload for the POST request made above.
Also, since this is AWX it's probably better to have numbers as IDs in the example:
{"team": 25, "role_definition": 4, "object_id": "10"}

[tvo318]

Ah, thanks for the clarification!

[vidyanambiar]

Same comment as above. This is the POST request body. Example:
{"user": 25, "role_definition": 4, "object_id": "10"}

[vidyanambiar]

Can we replace all the references to <awxAPI>/ with https://<awx-host>/api/v2/ or /api/v2/?

[tvo318]

Yes, for sure! Good catch!

[AlanCoding]

Seems good for the new content here.