<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-14 15:18 GMT+08:00 Tomas Jelinek <span dir="ltr"><<a href="mailto:tjelinek@redhat.com" target="_blank">tjelinek@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><br>
<br>
----- Original Message -----<br>
> From: "plysan" <<a href="mailto:plysab@gmail.com">plysab@gmail.com</a>><br>
> To: <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
> Sent: Sunday, April 13, 2014 3:52:55 AM<br>
> Subject: [ovirt-users] Question about power user and public template<br>
><br>
> Hi,<br>
><br>
> Currently I have run into a problem about permissions when creating vm from<br>
> template.<br>
><br>
> Say if non admin user A in power user portal want to create vm from template<br>
> C created by non admin user B, I found out that A need to have both power<br>
> user role and userbasedtemplatevm role to make it work. If i only assign<br>
> userbasedtemplatevm to C, A can only view the template in power user portal<br>
> but not able to create vm from it.<br>
<br>
</div>I'd say the problem is that the template has some disks and as a "UserTemplateBasedVm" only you are<br>
not allowed to "Access Image Storage Domains"?<br></blockquote><div>Thanks for pointing that out, I really didn't think the disk has permissions too :)</div><div><br></div><div>Because PowerUserRole has more permissions than UserTemplateBasedVm, so I think assigning PowerUserRole is enough to see the template in power user portal. Based on this thought, I did the following two experiment:</div>
<div><br></div><div>1. I assigned PowerUserRole to user A in Configure -> System Permissions, but after that I still cannot see template C in power user portal.</div><div>The above role assignment result in user A having PowerUserRole inherited from System Permission, and based on [1], user A should have PowerUserRole on template C, right ?</div>
<div><br></div><div>2. Now based on 1 if I explicitly add PowerUserRole to user A on template C, I can see template C and create vms from it.</div><div><br></div><div>For my understanding, the above two role assignment should have the same result.</div>
<div><br></div><div>Any ideas?</div><div><br></div><div>[1]: <a href="http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html">http://lists.ovirt.org/pipermail/engine-devel/2012-December/003229.html</a></div>
<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
For details about specific roles and what can be done by which role you can have a look at:<br>
webadmin -> "Configure" in top right corner -> "Roles" side tab -> pick a specific role -> "Edit" button<br>
<div class=""><br>
><br>
> So is this the expected behavior? I don't quite understand what<br>
> userbasedtemplatevm is used for. I noticed that making template C public<br>
> have the effect of assign userbasedtemplatevm to everyone, but that seems<br>
> not enough to let everyone use it.<br>
><br>
> My engine version is 3.3.4.<br>
><br>
> Any ideas? thanks for any help!<br>
</div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</blockquote></div><br></div></div>