Hi All, This is in regard to BZ 1511697 - Unable to set permission on all but Hosted-Engine VM and Storage Domain The Issue: --------------- As described in the BZ, inherited permissions for HE VM/SD lets non SUPER_USER admins perform operations on the VM. Currently as far as permissions go there is no way to distinguish between a HE VM/SD and normal VMs/SDs and there is no way to set permissions only for the HE VM/SD. So all admins can perform operation on the HE VM/SD. Proposed Solution: -------------------------- The proposed solution is to prevent operations on a HE VM/SD for all users who do not have SUPER_USER system privilages as per [2]. Moving host to maintenance is allowed for all admins and the HE VM/SD is listed in search queries. Only when performing operations on the VM/SD we check user permissions. This requires documentation change as not all admin users can perform actions on a HE VM/SD. Please let me know if you have any objections to the proposed change before it is merged. Thanks Ravi [1] https://bugzilla.redhat.com/show_bug.cgi?id=1511697 [2] https://gerrit.ovirt.org/#/c/97689/