On 11/14/2012 07:01 PM, Charlie wrote:
> On 11/13/2012 09:57 PM, Charlie wrote:
>>
>> Will any of these groups and/or permissions be drawn from LDAP?
>>
>> Frankly, system admins are not looking for yet another console to
>> manage permissions.
On Tue, Nov 13, 2012 at 11:28 PM, Itamar Heim <iheim(a)redhat.com> wrote:
> all users/groups come from LDAP.
> you just need to give permissions to these groups/users in ovirt.
> is that what you meant?
Yes, mostly. :)
As long as you can give permissions to a set of LDAP groups (call them
oVirtSysAdmin, oVirtUser, oVirtNetAdmin, or whatever) and after that
never touch permissions again, that's perfect.
That way an HR employee or junior sysadmin can assign users to these
groups during user account creation, and you won't have to give
somebody in HR the ability to define permissions in oVirt, or tie up a
highly skilled admin with routine user account maintenance.
ok, that's exactly how oVirt works.