Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1434590
Description of problem:

Some customers have scripts or web forms that make calls into the Satellite API. They would like the ability to lock down the API user so that the user can make calls, but cannot log in via the web UI.

One possible way to do this may be to create a 'web access' role of some sort that users get by default. I am not sure if it's best to implement this via the regular role selector, or via a checkbox for "Allow web interface access?" similar to the "is administrator?" box. A checkbox might be better since it can be enabled by default, so its harder to forget to add it.

There may be a more intuitive way to present this to the user, the paragraph above is just one suggestion and not a hard requirement for the RFE.