diff --git a/roles/object_diff/README.md b/roles/object_diff/README.md
index 2280e80d9..2128c2890 100644
--- a/roles/object_diff/README.md
+++ b/roles/object_diff/README.md
@@ -17,6 +17,7 @@ The following Variables set the organization where should be applied the configu
| `controller_api_plugin` | `ansible.controller` | yes | Full path for the controller_api_plugin to be used.
Can have two possible values:
- awx.awx.controller_api # For the community Collection version
- ansible.controller.controller_api # For the Red Hat Certified Collection version|
| `drop_user_external_accounts` | `False` | no | When is true, all users will be taken to compare with SCM configuration as code |
| `drop_teams` | `False` | no | When is true, all teams will be taken to compare with SCM configuration as code |
+| `protect_not_empty_orgs` | `N/A` | no | When is true, orgs which are not empty, will not be removed |
## Role Tags
diff --git a/roles/object_diff/defaults/main.yml b/roles/object_diff/defaults/main.yml
index 72a6a0d86..cbf82e767 100644
--- a/roles/object_diff/defaults/main.yml
+++ b/roles/object_diff/defaults/main.yml
@@ -44,4 +44,6 @@ controller_configuration_object_diff_tasks:
controller_configuration_object_diff_secure_logging: "{{ controller_configuration_secure_logging | default('false') }}"
+controller_api_version: "v2"
+
...
diff --git a/roles/object_diff/tasks/organizations.yml b/roles/object_diff/tasks/organizations.yml
index aa70bec07..b388689e2 100644
--- a/roles/object_diff/tasks/organizations.yml
+++ b/roles/object_diff/tasks/organizations.yml
@@ -1,17 +1,57 @@
---
-- name: "Gets current Organizations configured"
+- name: "OBJECT DIFF: Get the current controller user to determine if it is super-admin"
ansible.builtin.set_fact:
- __controller_api_organizations: "{{ query(controller_api_plugin, 'organizations',
- host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) }}"
+ __controller_api_current_user_check_is_admin: "{{ lookup(controller_api_plugin, 'users',
+ query_params={'username': controller_username},
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs)
+ }}"
-- name: "OBJECT DIFF: Find the difference of Organizations between what is on the Controller versus curated list."
- ansible.builtin.set_fact:
- __organizations_difference: "{{ lookup('redhat_cop.controller_configuration.controller_object_diff',
- api_list=__controller_api_organizations, compare_list=controller_organizations,
- with_present=false, set_absent=true)
- }}"
+- name: "Role differences (block)"
+ when:
+ - __controller_api_current_user_check_is_admin.is_superuser
+ block:
+ - name: "Gets current Organizations configured"
+ ansible.builtin.set_fact:
+ __controller_api_organizations: "{{ query(controller_api_plugin, 'organizations',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs)
+ }}"
-- name: "Sets Organization differences"
- ansible.builtin.set_fact:
- controller_organizations: "{{ __organizations_difference }}"
+ - name: "OBJECT DIFF: Find the difference of Organizations between what is on the Controller versus curated list."
+ ansible.builtin.set_fact:
+ __organizations_difference: "{{ lookup('redhat_cop.controller_configuration.controller_object_diff',
+ api_list=__controller_api_organizations, compare_list=controller_organizations,
+ with_present=false, set_absent=true)
+ }}"
+
+ - name: "Set list __list_orgs_empty when protect_not_empty_orgs"
+ ansible.builtin.set_fact:
+ __list_empty_orgs: "{{ __list_empty_orgs | default([]) + [__org.name] }}"
+ loop: "{{ __organizations_difference }}"
+ loop_control:
+ loop_var: __org
+ when:
+ - protect_not_empty_orgs is defined
+ - protect_not_empty_orgs
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/users/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/admins/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/inventories/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/teams/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/projects/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/job_templates/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+ - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/workflow_job_templates/',
+ host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+
+ - name: "Sets Organization differences"
+ ansible.builtin.set_fact:
+ controller_organizations: "{{ controller_organizations | combine(__org) }}"
+ loop: "{{ __organizations_difference }}"
+ loop_control:
+ loop_var: __org
+ when: protect_not_empty_orgs is not defined or not protect_not_empty_orgs or __org.name in __list_empty_orgs
...