On Tue, Jan 29, 2019 at 5:01 PM Brian Wilson <briwils2@cisco.com> wrote:
This seems to work however still trying to solve the issue of if we dont give access to networks at a higher level (Cluster or DC) then it must be given at the Network level for every network that we would like them to have access to. Since we are using an AD group to assign access to the networks this would work for initially created network by we as admins but brings up an issue for networks they create themselves.
Just to make clear - if you allow users to create networks on the system, you assigned to them Admin role that supports vm creation, and probably given them that role on the DC.
This allows them to add vnic profile or have full control (update / delete) for that network.
We Also would like them to create networks and let that group have access to it but is seems we would have to allow them to assign permissions in the system to do that, which then opens up a whole other host of problems we wouldn't want like the ability to mitigate and access control we implement.
Am I understanding how these permissions work and finding we cannot do the below or missing something that would allow the follow use case:
Users of Platform are restricted from adding VMs to a few select networks
Users of Platform are able to create, and share with other team members associated with an AD Group, new networks
-- Strech here if it could be restricted to only certain labels to prevent them from using physical nics we haven't already assigned labels to as admins
Users of Platform are not able to modify permissions on objects in inventory
The MLA (multi-level administration) or the permission model is configured based on 3 entities per permission:
1. The entity - which entity we'd like to grant the user permission on (could be the direct entity or higher level in that hierarchy)
2. The user - could be either a user or group that will be granted with the permission
3. The role - role contains list of action groups to permit. Could be predefined role or a custom role.
In the mentioned use-case of user or group that creates a VM, where you'd like that user to be able to grant permission on that network to other users,
that user should be granted with a role that permits giving permissions to other users on that network (or higher level, i.e. DC).
You can define a custom role for that, containing the checked options as in the screenshot, and assign it on the network or on the dc for the user.
If you'd like to grant that role on a DC to the AD group, they should be able to grant other users to use network (and/or its vnic profiles).
If you'd like to restrict the permission only for the created network by the user, you should grant it manually (or by restapi script) on the new network.
There isn't option to provide such role on the create network, since at time of creation, there is no such entity in the system.
That might require its own RFE.
Please let me know if that makes sense to you and if it solves the mentioned use-case.
Thanks,
Moti
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/W2PFFSLZA4CZHYY67JXQROFY65EPOKJ2/