Comment 2 for bug 1719141

Since ansible does not have a listening architecture, the flow would have to start with spinning up worker process to listen to notifications. That process could be on a separate machine from the Keystone server.

Alternatively, since AWX is now open source, we could spin up a full AWX instance and have it listen for Keystone events. That is a fairly Heavy weight solution, but it probably makes sense for production workflows. The AWX and Keystone servers need to share a common view of RBAC. Since AWX has its own RBAC structure, we should compare that to the Keystone one to see how it aligns.