[ovirt-users] Re: Preventing users to see other VMs

Hi All, Thank you Roy, this is working now as expected, however, I think the Edit button, should be removed for this user, there is no need to display the edit button if the user cannot use it to perform any operation, am I missing something ? Best regards On Wed, May 16, 2018 at 9:12 AM, Peter Hudec <phudec(a)cnc.sk <mailto:phudec@cnc.sk>> wrote: I have found 2 related bug, a little bit older https://bugzilla.redhat.com/show_bug.cgi?id=1209505 <https://bugzilla.redhat.com/show_bug.cgi?id=1209505> https://bugzilla.redhat.com/show_bug.cgi?id=1225274 <https://bugzilla.redhat.com/show_bug.cgi?id=1225274> But these are related only to DiskProfile. I haven't found any work about 'Everyone' group in documentation, so I'm little bit confused why there is such a group. Peter On 15/05/2018 23:02, Peter Hudec wrote: > Hi, > I'm fancing the same problem. > The steps are - create user /tester/ using the > ovirt-aaa-jdbc-tool - login as admin into admin portal - add > tester user in Administation -> Users - choose one VM and add > UserRole role > - login as testr into User Potal - user could see all VM.. > The problem could be, that the user is part of the group > Everyone and this group could be found in Administration -> > Configure > System Permissions. When you check the group > permisson, it seems to be automatically populated by engine. > In my case I[m using default DC, default cluster and 'internal' > profile . > Seems that all engine object is included in Everyone group. > regards Peter > On 15/05/2018 22:03, Roy Golan wrote: >> On Tue, 15 May 2018 at 21:47 Aziz <azizgstest(a)gmail.com <mailto:azizgstest@gmail.com> >> <mailto:azizgstest@gmail.com <mailto:azizgstest@gmail.com>>> >> wrote: >> Hi Roy, >> Thanks for your feedback, I'm unable to remove the user from >> the cluster, I used the command "|ovirt-aaa-jdbc-tool user >> add|" to add the new user, and it seems that by default it took >> all permissions over the cluster. Is there any document >> describing this feature in details ? >> In the webadmin go to Administration -> Configure > System >> Permissions. If the user is there, remove him. Then search for >> the VM and add permissions to the user on the VM Check your >> end result in the 'permisions' section of the VM to see who >> has permissions on it. >> This should be helpful, quite long though >> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/ <https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/ >> >> > This is for the tool itself >> https://www.ovirt.org/develop/release-management/features/infra/aaa-j <https://www.ovirt.org/develop/release-management/features/infra/aaa-j

>> >> bc/ >> Thanks >> On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan(a)redhat.com <mailto:rgolan@redhat.com> >> <mailto:rgolan@redhat.com <mailto:rgolan@redhat.com>>> wrote: >> 1. Make sure your users use the VM portal 2. Assign permission >> on VM to a certain user to make sure it apears in the portal. >> The Role should be VmOperator afaik. >> Permission set on objects higher in the hierarchy are >> cascading, i.e a user with permission on a cluster would have >> the permission on the all the vm in cluster. >> On Tue, 15 May 2018 at 20:59 Aziz <azizgstest(a)gmail.com <mailto:azizgstest@gmail.com> >> <mailto:azizgstest@gmail.com <mailto:azizgstest@gmail.com>>> >> wrote: >> Hi list, >> I'm trying to remove the default "everyone" user from Ovirt, >> so that each user can have access to its own interface to >> manage a unique VM. I wonder if this is possible, because so >> far I'm unable to remove everyone user. >> Thank you >> _______________________________________________ Users mailing >> list -- users(a)ovirt.org <mailto:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> To unsubscribe >> send an email to users-leave(a)ovirt.org <mailto:users-leave@ovirt.org> >> <mailto:users-leave@ovirt.org <mailto:users-leave@ovirt.org>> >> _______________________________________________ Users mailing >> list -- users(a)ovirt.org <mailto:users@ovirt.org> To >> unsubscribe send an email to >> users-leave(a)ovirt.org <mailto:users-leave@ovirt.org> _______________________________________________ Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave(a)ovirt.org <mailto:users-leave@ovirt.org>