diff --git a/workbooks/access.yaml b/workbooks/access.yaml
new file mode 100644
index 000000000..1a141009c
--- /dev/null
+++ b/workbooks/access.yaml
@@ -0,0 +1,130 @@
+---
+version: '2.0'
+name: tripleo.access.v1
+description: TripleO administration access workflows
+
+workflows:
+
+  enable_ssh_admin:
+    description: >-
+      This workflow creates an admin user on the overcloud nodes,
+      which can then be used for connecting for automated
+      administrative or deployment tasks, e.g. via Ansible. The
+      workflow can be used both for Nova-managed and split-stack
+      deployments, assuming the correct input values are passed
+      in. The workflow defaults to Nova-managed approach, for which no
+      additional parameters need to be supplied. In case of
+      split-stack, temporary ssh connection details (user, key, list
+      of servers) need to be provided -- these are only used
+      temporarily to create the actual ssh admin user for use by
+      Mistral.
+    input:
+      - ssh_private_key: null
+      - ssh_user: null
+      - ssh_servers: []
+      - overcloud_admin: tripleo-admin
+      - queue_name: tripleo
+    tasks:
+      get_pubkey:
+        action: tripleo.validations.get_pubkey
+        on-success: generate_playbook
+        publish:
+          pubkey: <% task(get_pubkey).result %>
+
+      generate_playbook:
+        on-success:
+          - create_admin_via_nova: <% $.ssh_private_key = null %>
+          - create_admin_via_ssh: <% $.ssh_private_key != null %>
+        publish:
+          create_admin_tasks:
+            - name: create user <% $.overcloud_admin %>
+              user:
+                name: '<% $.overcloud_admin %>'
+            - name: grant admin rights to user <% $.overcloud_admin %>
+              copy:
+                dest: /etc/sudoers.d/<% $.overcloud_admin %>
+                content: |
+                  <% $.overcloud_admin %> ALL=(ALL) NOPASSWD:ALL
+                mode: 0440
+            - name: ensure .ssh dir exists for user <% $.overcloud_admin %>
+              file:
+                path: /home/<% $.overcloud_admin %>/.ssh
+                state: directory
+                owner: <% $.overcloud_admin %>
+                group: <% $.overcloud_admin %>
+                mode: 0700
+            - name: ensure authorized_keys file exists for user <% $.overcloud_admin %>
+              file:
+                path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
+                state: touch
+                owner: <% $.overcloud_admin %>
+                group: <% $.overcloud_admin %>
+                mode: 0700
+            - name: authorize TripleO Mistral key for user <% $.overcloud_admin %>
+              lineinfile:
+                path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
+                line: <% $.pubkey %>
+                regexp: "Generated by TripleO"
+
+      # Nova variant
+      create_admin_via_nova:
+        workflow: tripleo.access.v1.create_admin_via_nova
+        input:
+          queue_name: <% $.queue_name %>
+          tasks: <% $.create_admin_tasks %>
+
+      # SSH variant
+      create_admin_via_ssh:
+        workflow: tripleo.access.v1.create_admin_via_ssh
+        input:
+          ssh_private_key: <% $.ssh_private_key %>
+          ssh_user: <% $.ssh_user %>
+          ssh_servers: <% $.ssh_servers %>
+          tasks: <% $.create_admin_tasks %>
+
+  create_admin_via_nova:
+    input:
+      - tasks
+      - queue_name: tripleo
+    tasks:
+      get_servers:
+        action: nova.servers_list
+        on-success: create_admin
+        publish:
+          servers: <% task(get_servers).result._info %>
+
+      create_admin:
+        workflow: tripleo.deployment.v1.deploy_on_server
+        with-items: server in <% $.servers %>
+        input:
+          server_name: <% $.server.name %>
+          server_uuid: <% $.server.id %>
+          queue_name: <% $.queue_name %>
+          config_name: create_admin
+          group: ansible
+          config: |
+            - hosts: localhost
+              connection: local
+              tasks: <% json_pp($.tasks) %>
+
+  create_admin_via_ssh:
+    input:
+      - tasks
+      - ssh_private_key
+      - ssh_user
+      - ssh_servers
+    tasks:
+      write_tmp_playbook:
+        action: tripleo.ansible-playbook
+        input:
+          inventory:
+            overcloud:
+              hosts: <% $.ssh_servers.toDict($, {}) %>
+          remote_user: <% $.ssh_user %>
+          ssh_private_key: <% $.ssh_private_key %>
+          ssh_common_args: '-o StrictHostKeyChecking=no'
+          become: true
+          become_user: root
+          playbook:
+            - hosts: overcloud
+              tasks: <% $.tasks %>
diff --git a/workbooks/ceph-ansible.yaml b/workbooks/ceph-ansible.yaml
index 4d9e6b749..1c91997d3 100644
--- a/workbooks/ceph-ansible.yaml
+++ b/workbooks/ceph-ansible.yaml
@@ -11,8 +11,8 @@ workflows:
       - ceph_ansible_extra_vars: {}
       - ceph_ansible_playbook: /usr/share/ceph-ansible/site-docker.yml.sample
     tasks:
-      deploy_ssh_key:
-        workflow: tripleo.validations.v1.copy_ssh_key
+      enable_ssh_admin:
+        workflow: tripleo.access.v1.enable_ssh_admin
         on-success: get_private_key
       get_private_key:
         action: tripleo.validations.get_privkey
@@ -64,7 +64,7 @@ workflows:
             clients:
               hosts: <% $.client_ips.toDict($, {}) %>
           playbook: <% $.ceph_ansible_playbook %>
-          remote_user: heat-admin
+          remote_user: tripleo-admin
           become: true
           become_user: root
           verbosity: <% $.ansible_playbook_verbosity %>
diff --git a/workbooks/validations.yaml b/workbooks/validations.yaml
index cba30a0f3..2c383157a 100644
--- a/workbooks/validations.yaml
+++ b/workbooks/validations.yaml
@@ -220,6 +220,9 @@ workflows:
 
   copy_ssh_key:
     input:
+      # FIXME: we should stop using heat-admin as e.g. split-stack
+      # environments (where Nova didn't create overcloud nodes) don't
+      # have it present
       - overcloud_admin: heat-admin
       - queue_name: tripleo
     tasks: