Background
Runbook Automation (RBA) in IBM Cloud Pak for AIOps (CP4AIOps) has long supported fine-grained permissions for runbook creation, editing, and execution. However, Actions — the building blocks of Runbooks — were previously accessible to all users with runbook permissions.
To address this need, 4.11.1 introduces Action Group Role-Based Access Control (RBAC) — a new capability that brings group-based permission management to the RBA Action framework.
What is Action Group RBAC?
Action Group RBAC extends RBA’s existing permission model by allowing administrators to organize actions into groups, and then grant access to those groups based on user roles.
This new capability helps ensure that only authorized users can view, assign, or execute specific actions, aligning automation access with organizational security policies.
In essence:
- Actions are now can be grouped logically
- Roles ( like Runbook Admin, Operator, Viewer) can be assigned permissions to those groups.
- The system automatically enforces access restrictions whenever users interact with runbooks that reference those actions.
How it works
In 4.11.1, administrators and runbook authors can now use the new Action Group Management interface to assign groups.
Key features include:
- Granular access for restricted users — Users with limited privileges can only view and execute runbooks and actions that belong to the groups they are assigned to.
- Parameter lockdown — Restricted users can no longer modify default parameters when running runbooks or actions, ensuring consistency and safety in automation execution.
- Group-based access management — Privileged users can create groups, assign actions to groups, and control which roles have access to them.
- Action and history filtering — Actions, runbook activities, and action histories can now be filtered by group, making it easier to audit and review activity within specific organizational units.
|
Role
|
Group restricted access
|
Manage groups
|
Modify default parameters
|
Assign groups
|
Filter by group
|
|
Automation administrator
|
×
|
|
|
|
|
|
Automation analyst
|
×
|
|
|
×
|
|
|
Automation developer
|
×
|
|
|
×
|
|
|
Automation operator
|
|
×
|
×
|
×
|
×
|
Description of features
- Enable access control
On the actions page, select the checkbox next to the action name and then the Access control option on the toolbar
- Assign Actions to Group(s)
On the Access Control dialog, select the required groups and then save
- Filter actions by group(s)
On the actions page, select the Groups filter and toggle the required group(s)
- Generate Group SSH Key
Summary
- By extending RBAC to individual actions, clients can now:
- · Maintain tighter control over who can view and execute automations.
- Protect sensitive infrastructure actions from unauthorized access.
- Simplify compliance through clear group-based segregation.
- This feature empowers administrators, operators, and developers alike — enabling secure, collaborative automation within IBM AIOps.