Hello everyone, I am working on https://bugzilla.redhat.com/show_bug.cgi?id=878812 bug so I played a bit with the code to understand how permission system works and noticed few things (please correct me if I am wrong): - In order to login to admin portal user need to have one of the admin roles (role_type = 1) - system tree is built using number of queries - before running each query permission validation happens so the code checks whether the user is able to run a query - I noticed that none of the queries required to build system tree is admin query and validation depends on result of getUser().isAdmin() (Please check http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=backend/manage... line 123). This statement is always true for a user which was able to log in to admin portal. I was able to come up with following ways to solve this issue (please help to find the good enough): - fix verification - filter results of query - change a bit permission model. The structure is quite flat (there are only 2 role_types) or we could go with containers as it was proposed in bug description. Thanks, Piotr