On Tue, Jan 29, 2019 at 5:01 PM Brian Wilson <briwils2(a)cisco.com> wrote:
This seems to work however still trying to solve the issue of if we
dont
give access to networks at a higher level (Cluster or DC) then it must be
given at the Network level for every network that we would like them to
have access to. Since we are using an AD group to assign access to the
networks this would work for initially created network by we as admins but
brings up an issue for networks they create themselves.
Just to make clear - if you allow users to create networks on the system,
you assigned to them Admin role that supports vm creation, and probably
given them that role on the DC.
This allows them to add vnic profile or have full control (update / delete)
for that network.
We Also would like them to create networks and let that group have
access
to it but is seems we would have to allow them to assign permissions in the
system to do that, which then opens up a whole other host of problems we
wouldn't want like the ability to mitigate and access control we implement.
Am I understanding how these permissions work and finding we cannot do the
below or missing something that would allow the follow use case:
Users of Platform are restricted from adding VMs to a few select networks
Users of Platform are able to create, and share with other team members
associated with an AD Group, new networks
-- Strech here if it could be restricted to only certain labels to
prevent them from using physical nics we haven't already assigned labels to
as admins
Users of Platform are not able to modify permissions on objects in
inventory
The MLA (multi-level administration) or the permission model is configured
based on 3 entities per permission:
1. The entity - which entity we'd like to grant the user permission on
(could be the direct entity or higher level in that hierarchy)
2. The user - could be either a user or group that will be granted with the
permission
3. The role - role contains list of action groups to permit. Could be
predefined role or a custom role.
In the mentioned use-case of user or group that creates a VM, where you'd
like that user to be able to grant permission on that network to other
users,
that user should be granted with a role that permits giving permissions to
other users on that network (or higher level, i.e. DC).
You can define a custom role for that, containing the checked options as in
the screenshot, and assign it on the network or on the dc for the user.
If you'd like to grant that role on a DC to the AD group, they should be
able to grant other users to use network (and/or its vnic profiles).
If you'd like to restrict the permission only for the created network by
the user, you should grant it manually (or by restapi script) on the new
network.
There isn't option to provide such role on the create network, since at
time of creation, there is no such entity in the system.
That might require its own RFE.
Please let me know if that makes sense to you and if it solves the
mentioned use-case.
Thanks,
Moti
[image: Selection_999(006).png]
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/W2PFFSLZA4C...
--
Regards,
Moti