SaltStack Config ships with a number of built-in roles that cannot be deleted. It also gives you tools to create custom-defined roles for your own unique needs.

Built-in roles

SaltStack Config includes the following built-in roles:

  • User - The default role assigned to all new local users, SSO, and LDAP users. The User role covers fundamental permissions, such as Read access, needed to perform many basic functions. Users assigned this role can view and run jobs, as well as view job history, job returns, and reports for certain minions and job types, limited to the role’s resource access settings.
  • Administrator - This role needs access to more advanced tools than the user role and thus can access System Administration. Administrators can view (and in some cases, edit) sensitive data found in user settings and pillar. The role can create, update, and delete resources such as files, jobs, and targets. Administrators can also manage keys as needed when configuring new nodes.
  • Superuser - Superusers can perform any operation in SaltStack Config, which includes accessing System Administration. root is assigned to the Superuser role. The role cannot be deleted or cloned. You can add any group or user to the role, but you cannot modify any of the role’s other settings. Only advanced users should be added to the Superuser role, as it effectively bypasses permissions restrictions.

Custom-defined roles

To supplement SaltStack Config’s built-in roles, you can create custom roles. Custom roles help you define more targeted resource access for different user profiles based on your organization’s needs. For example, you might create a CentOS Administrator role for users responsible for administering CentOS nodes, and a RedHat Administrator role for users responsible for RedHat nodes.

User

Resource type / Functional area Read Run Write Delete
Background jobs X      
Commands X      
File Server X      
Jobs X X    
License X      
Salt Controller configuration X      
Salt Controller file server X      
Salt Controller X      
Metadata Auth X      
Minion X      
Returner X      
Schedule X   X X
SaltStack SecOps Compliance Policies Note: a license is required X      
SaltStack SecOps Vulnerability Policies Note: a SaltStack SecOps Vulnerability license is required X      
Targets X      
All Minions commands   X    

Administrator

Resource type / Functional area Read Run Write Delete
Background jobs X      
Commands X X X  
Runner commands   X    
SSH commands X X X X
Wheel commands   X    
File Server X   X X
Jobs X X X X
License X      
Metadata Auth X   X  
Minion X     X
Pillar X   X X
Returner X     X
Role X   X X
Schedule X   X X
SaltStack SecOps Compliance Policies Note: a SaltStack SecOps license is required X      
SaltStack SecOps Vulnerability Policies Note: a SaltStack SecOps license is required X      
Targets X   X X
All Minions commands   X    
Users X   X X

Superuser

The Superuser role can perform any operation in SaltStack Config.