[ovirt-users] Re: Roles and Permissions and Inheritance

On Wed, 12 Dec 2018 15:25:56 -0000 "Brian Wilson" <briwils2(a)cisco.com&gt; wrote: The attachment of logical networks to VMs is manged in oVirt by "vNIC Profiles". The Boolean property "Public" of vNIC Profiles enables simple permission management to allow or deny the attachment of the logical network to a VM by Users. If "Public" is set, all Users are allowed to attach the related logical network to the VMs he/she is allowed to manage. If "Public" is not set, only Users/Administrators with the required permissions (e.g. "Assign vNIC Profile to VM") are allowed to attach the logical network to a VM. If you want to prevent users in the Engine to be able to place VMs on ovirtmgmt, you have to remove this "Public" permissions from the ovirtmgmt object. In the web UI, this can be done like this: In Administration > Configure > Roles Select the role "VnicProfileUser". This will show a table of the allowed User-Object pairs. Select the pair of the user "Everyone" and the "Object" ovirtmgmt and remove this pair. This will prevent users attaching their VMs to ovirtmgmt. Please make sure that there are no additional permissions on ovirtmgmt and/or its vNic Profile that violates the desired permissions level. However, if the VM was already created and has an interface attached to 'ovirtmgmt', these attainments has to be removed or replaced manually.