So far, we have only looked at using AWX from the perspective of the built-in admin user. Of course, one of AWX's features is RBAC, and this is achieved by the use of users and teams. A team is basically a group of users, and users can be a member of one or more teams. 

Both users and teams can be created manually in the AWX user interface, or through integration with an external directory service, such as LDAP or Active Directory. In the case of directory integration, teams would most likely be mapped to groups within the directory.

The RBAC's within AWX are rich; for example, a given user can be given the ADMIN role within one team, and either MEMBER or READ roles in another. 

User accounts themselves can be set up as System Administrators, Normal Users, or System Auditors.

In addition to this, as we stepped through the basic setup part of this chapter, you will have noticed the tab buttons on just about every page of the AWX user interface. Among these, there is almost always a tab called PERMISSIONS, which allows true fine-grained access control to be achieved.

For example, a given user of the Normal User type could be given the ADMIN role within their assigned Team. However, they can then be assigned the READ role on a given Project, which superseded the more general ADMIN Team role. So, when they log in, they can see the Project in question, but can't change it or execute any tasks; for example, an update from SCM. 

There is a great deal to explore when it comes to RBAC, and, once you get the hang of it, it is easy to create secure and tightly-locked-down deployments of AWX where everyone has just the right amount of access.