pushing updated directions for network workshop

exercises/ansible_network/8-controller-rbac/README.md

@@ -4,20 +4,21 @@
 
 ## Table of Contents
 
-  * [Objective](#objective)
-  * [Guide](#guide)
-    * [Step 1: Opening up Organizations](#step-1-opening-up-organizations)
-    * [Step 2: Open the network organization](#step-2-open-the-network-organization)
-    * [Step 3: Examine Teams](#step-3-examine-teams)
-    * [Step 4: Examine the Netops Team](#step-4-examine-the-netops-team)
-    * [Step 5: Login as network-admin](#step-5-login-as-network-admin)
-    * [Step 6: Understand Team Roles](#step-6-understand-team-roles)
-    * [Step 7: Job Template Permissions](#step-7-job-template-permissions)
-    * [Step 8: Login as network-operator](#step-8-login-as-network-operator)
-    * [Step 9: Launching a Job Template](#step-9-launching-a-job-template)
-    * [Bonus Step](#bonus-step)
-  * [Takeaways](#takeaways)
-  * [Complete](#complete)
+- [Exercise 8: Understanding RBAC in Automation controller](#exercise-8-understanding-rbac-in-automation-controller)
+  - [Table of Contents](#table-of-contents)
+  - [Objective](#objective)
+  - [Guide](#guide)
+    - [Step 1: Opening up Organizations](#step-1-opening-up-organizations)
+    - [Step 2: Open the network organization](#step-2-open-the-network-organization)
+    - [Step 3: Add network-admin as an administrator](#step-3-add-network-admin-as-an-administrator)
+    - [Step 4: Login as network-admin](#step-4-login-as-network-admin)
+    - [Step 5: Give job template access to the network-operator user](#step-5-give-job-template-access-to-the-network-operator-user)
+    - [Step 6: Verify the Network-Commands job template](#step-6-verify-the-network-commands-job-template)
+    - [Step 7: Login as network-operator](#step-7-login-as-network-operator)
+    - [Step 8: Launching a Job Template](#step-8-launching-a-job-template)
+    - [Bonus Step](#bonus-step)
+  - [Takeaways](#takeaways)
+  - [Complete](#complete)
 
 ## Objective
 
@@ -45,9 +46,9 @@ Lets review some Automation controller terminology:
 
   ![admin user](images/step_1.png)
 
-* Under the **Access** section, click on **Organizations**
+* Under the **Access Management** section, click on **Organizations**
 
-  As the *admin* user, you will be able to view all organizations configured for Automation controller:
+  As the `admin` user, you will be able to view all organizations configured for Automation controller:
 
   <table>
   <thead>
@@ -60,19 +61,16 @@ Lets review some Automation controller terminology:
 * Examine the organizations
 
   There are 2 organizations (other than Default):
+   1.  **Red Hat compute organization**
+   2.  **Red Hat network organization**
 
-  * **Red Hat compute organization**
-  * **Red Hat network organization**
 
    ![organizations image](images/step1-organizations.png)
 
-   <table>
-   <thead>
-     <tr>
-       <th>Observe that this page gives you a summary of all the teams, users, inventories, projects and job templates associated with it. If a Organization level admin is configure you will see that as well.</th>
-     </tr>
-   </thead>
-   </table>
+> Note:
+>
+> This page gives you a summary of all the teams, users, inventories, projects and job templates associated with it.
+> If a Organization level admin is configure you will see that as well.
 
 
 ### Step 2: Open the network organization
@@ -83,120 +81,107 @@ Lets review some Automation controller terminology:
 
    ![network organization image](images/step2-network_org.png)
 
-2. Click on the **Access** tab to see users associated with this organization.
+### Step 3: Add network-admin as an administrator
 
-   <table>
-   <thead>
-    <tr>
-      <th>Observe that both the <b>network-admin</b> and <b>network-operator</b> users are associated with this organization.</th>
-    </tr>
-   </thead>
-   </table>
+1. Click on the **Administrators** tab
 
-### Step 3: Examine Teams
+   ![administrator tab](images/admin_tab.png)
 
-1. Click on **Teams** in the sidebar
+2. Click on the blue **Add administrators** button:
 
-   ![image identifying teams](images/step3_teams.png)
+   ![add admin button](images/admin_button.png)
 
-2. Examine the teams.  The Automation controller admin  will be able to see all available teams.  There are four teams:
+3. Select the **network-admin** user and then click the blue **Add administrators** button
 
-   * Compute T1
-   * Compute T2
-   * Netadmin
-   * Netops
+   ![add admin window](images/select_admin_button.png)
 
-   ![teams window image](images/step3_teams_view.png)
+### Step 4: Login as network-admin
 
-### Step 4: Examine the Netops Team
+1. Log out from the admin user by clicking the admin button in the top right corner of the Automation controller UI:
 
-* Click on the **Netops** Team and then click on the **Access** tab. Take note  to two particular users:
+   ![logout image](images/step5_logout.png)
 
-  * network-admin
-  * network-operator
+2. Login to the system with the **network-admin** user.
 
-  ![image showing users](images/step_4.png)
+   | Parameter | Value |
+   |---|---|
+   | username  | network-admin  |
+   |  password|  provided by instructor |
 
-* Observe the following two points:
+3. Confirm that you are logged in as the **network-admin** user.
 
-  * The **network-admin** user has administrative privileges for the **Red Hat network organization**
-  * The **network-operator** is simply a member of the Netops team. We will dive into each of these users to understand the roles
+   ![picture of network admin](images/step5_network-admin.png)
 
-### Step 5: Login as network-admin
+4. Click on the **Organizations** link on the sidebar under the `Access Management` section.
 
-* Log out from the admin user by clicking the admin button in the top right corner of the Automation controller UI:
+  You will notice that you only have visibility to the organization you are an admin of, the **Red Hat network organization**.
 
-   ![logout image](images/step5_logout.png)
+  The following two Organizations are not seen anymore:
 
-* Login to the system with the **network-admin** user.
+  * `Red Hat compute organization`
+  * `Default`
 
-  | Parameter | Value |
-  |---|---|
-  | username  | network-admin  |
-  |  password|  provided by instructor |
+> Bonus step:
+>
+> Try this as the network-operator user (same password as network-admin).
+> What is the difference between `network-operator` and `network-admin`?
+> As the `network-operator` are you able to view other users?
+> Are you able to add a new user or edit user credentials?
 
-* Confirm that you are logged in as the **network-admin** user.
 
-  ![picture of network admin](images/step5_network-admin.png)
+### Step 5: Give job template access to the network-operator user
 
-* Click on the **Organizations** link on the sidebar.
+As the `network-admin` we can now setup access for the `network-operator` user.
 
-  You will notice that you only have visibility to the organization you are an admin of, the **Red Hat network organization**.
+1. Click on Templates on the left menu
 
-  The following two Organizations are not seen anymore:
+   ![job templates](images/job_templates.png)
 
-  * Red Hat compute organization
-  * Default
+2. Click on the `Network-Commands` job template.
 
-* Bonus step: Try this as the network-operator user (same password as network-admin).
+   ![network banner](images/network_commands.png)
 
-   * What is the difference between network-operator and network-admin?
-   * As the network operator are you able to view other users?
-   * Are you able to add a new user or edit user credentials?
+3. Click on the `User Access` tab
 
-### Step 6: Understand Team Roles
+   ![user access](images/user_access.png)
 
-1. To understand how different roles and therefore RBACs may be applied, log out and log back in as the **admin** user.
+4. Click on the blue `Add roles` button
 
-2. Navigate to **Inventories** and click on the  **Workshop Inventory**
+   ![add roles button](images/add_roles.png)
 
-3. Click on the **Access** button
+5. Click `network-operator` then click the blue `Next` button at the bottom
 
-   ![workshop inventory window](images/step6_inventory.png)
+   ![add user window](images/add_user_window.png)
 
-4. Examine the permissions assigned to each user
+6. Click on  `JobTemplate Execute` then click on the blue `Next button at the bottom
 
-   ![permissions window](images/step6_inventory_access.png)
+   ![add role user](images/add_role_user.png)
 
-   <table>
-   <thead>
-     <tr>
-       <th>Note: <b>ROLES</b> assigned for the <b>network-admin</b> and <b>network-operator</b> users. By assigning the <b>Use</b> Role, the <b>network-operator</b> user has been granted permission to use this particular inventory.</th>
-     </tr>
-   </thead>
-   </table>
+7. Review to make sure you set it up correctly, and click the blue `Finish` button at the bottom.
 
+   ![finish window](images/finish.png)
 
+8. Click the `Close` button after the role is applied
 
-### Step 7: Job Template Permissions
+   ![close window](images/close_window.png)
 
-1. Click on the **Templates** button in the left menu
+### Step 6: Verify the Network-Commands job template
 
-2. Click on the **Network-Commands** Job Template
+1. Navigate back to the `Network-Commands` Job Template
 
-3. Click on the **Access** button at the top
+   ![network commands job template](images/network-commands-job-template.png)
 
-   ![permissions window](images/step7_job_template_access.png)
+2. Verify the Survey is enabled
 
-   <table>
-   <thead>
-     <tr>
-       <th>Note: the same users have different roles for the job template. This highlights the granularity operators can introduce with Automation controller in controlling "Who gets access to what". In this example, the network-admin can update (<b>Admin</b>) the <b>Network-Commands</b> job template, whereas the network-operator can only <b>Execute</b> it.</th>
-     </tr>
-   </thead>
-   </table>
+  ![verify survey](images/survey-enabled.png)
 
-### Step 8: Login as network-operator
+3. Verify the Survey questions
+
+   ![verify survey questions](images/verify-survey.png)
+
+4. Click on the blue `Save survey question`
+
+### Step 7: Login as network-operator
 
 Finally, to see the RBAC in action!
 
@@ -207,19 +192,15 @@ Finally, to see the RBAC in action!
    | username  | `network-operator`  |
    |  password|  provided by instructor |
 
-2. Navigate to **Templates** and click on the **Network-Commands** Job Template.
+2. Navigate to **Templates** under the Automation Execution section, and click on the **Network-Commands** Job Template.
 
    ![network commands job template](images/step8_operator.png)
 
-   <table>
-   <thead>
-     <tr>
-       <th>Note that, as the <b>network-operator</b> user, you will have no ability to change any of the fields.  The <b>Edit</b> button is no longer available.</th>
-     </tr>
-   </thead>
-   </table>
+> Note:
+>
+> The `network-operator` user, you will have no ability to change any of the fields.  The **Edit** button is no longer available
 
-### Step 9: Launching a Job Template
+### Step 8: Launching a Job Template
 
 1. Launch the **Network-Commands** template by clicking on the **Launch** button:
 
@@ -235,9 +216,18 @@ If time permits, log back in as the network-admin and add another show command y
 
 ## Takeaways
 
-* Using Automation controller's powerful RBAC feature, you can see it is easy to restrict access to operators to run prescribed commands on production systems without requiring them to have access to the systems themselves.
-* Automation controller can support multiple Organizations, multiple Teams and users.  Users can even belong to multiple Teams and Organizations if needed.  Something not covered in this exercise is that we do not need to manage users in Automation controller, we can use [enterprise authentication](https://docs.ansible.com/automation-controller/latest/html/administration/ent_auth.html) including Active Directory, LDAP, RADIUS, SAML and TACACS+.
-* If there needs to be an exception (a user needs access but not his entire team) this is also possible.  The granularity of RBAC can be down to the credential, inventory or Job Template for an individual user.
+<ul>
+  <li>
+    Using Ansible Automation Platform's powerful <strong>RBAC</strong> feature, you can see it is easy to restrict access to operators to run prescribed commands on production systems without requiring them to have access to the systems themselves.
+  </li>
+  <li>
+    Ansible Automation Platform can support multiple <code>Organizations</code>, multiple <code>Teams</code>, and <code>Users</code>. Something not covered in this exercise is that we do not need to manage users in Ansible Automation Platform; we can use <a target="_blank" href="https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/latest/html-single/access_management_and_authentication/index#gw-config-authentication-type" target="_blank">enterprise authentication</a> including Active Directory, LDAP, RADIUS, SAML, and TACACS+.
+  </li>
+  <li>
+    If there needs to be an exception (a user needs access but not their entire team), this is also possible. The granularity of RBAC can be down to the credential, inventory, or Job Template for an individual user.
+  </li>
+</ul>
+
 
 ## Complete