Showcase RBAC

[termlen0]

This PR adds a new organization and a user with execute only access to run a patch report. There is a small README to help demo this feature.

I'm not sure if the patching report logic only displays the components that require patching (it appears that way to me). It might make sense to update the patching report to include component being requested for with a "Compliant" status if they don't require patching. FYI, the template I'm using for running the patching report is as follows ::

  - name: "WINDOWS / Patching Report"
    use_fact_cache: true
    job_type: check
    ask_job_type_on_launch: no
    inventory: "Workshop Inventory"
    project: "Ansible official demo project"
    playbook: "windows/patching.yml"
    execution_environment: Default execution environment
    credentials:
    - "Workshop Credential"
    survey_enabled: false
    extra_vars:
      HOSTS: student1-win1
      report_server: student1-win1
      win_update_categories:
        - Application
        - Connectors
        - CriticalUpdates
        - DefinitionUpdates
        - DeveloperKits
        - FeaturePacks Guidance
        - SecurityUpdates
        - ServicePacks
        - Tools
        - UpdateRollups
        - Updates
      allow_reboot: 'No'

[termlen0]

With the above job template, the report generated only shows the security update in the report.

[termlen0]

@MKletz @willtome Please review/merge before main branch gets way too ahead of this PR. Thanks!

[willtome]

If we're going to start doing orgs, a single org should be created for each demo category. (eg. Windows, Linux, Cloud, etc.) with teams in that org as necessary. I've added some other comments on specific lines but overall I think we need more discussion before merging.

[willtome]

Why do we need a new org? Wouldn't helpdesk just be a different team perhaps in the "windows" org?

[termlen0]

Was going by the idea that typically helpdesk is a tier 1 support that lives in its own org. They do level 1 triage for all types of issues and typically route the incident to the appropriate SME team (Windows/Network/DB etc).
I'm good with this being a team, long as we can apply the execute only permissions for the job template and ensure that they don't have visibility to the inventory.

[willtome]

I'd like to see if we can make this dynamic. Perhaps using the password from the controller credential to keep things consistent.

[willtome]

This is duplicating an existing job template. Is there a reason not to use the existing template?

[termlen0]

Here, the point is that all the vars are hardcoded and is run in check mode(no survey). The demo readme shows the scenario. For instance if a manager or a Level1 helpdesk person needs to look at the patching report, the only access they have is to execute this job template within their account on AAP. The idea is to showcase how automation can help elevate lower tiers of support or create self-help automation reports for managers without needing an admin in the path.

[willtome]

@nleiva and I experienced some issues with multiple orgs since this project operates from a single inventory and credential. I am going to close for now and we can revisit RBAC at another time.