On Wed, Dec 12, 2018 at 5:27 PM Brian Wilson <briwils2@cisco.com> wrote:

Is there a way to prevent Roles Assigned to Groups on Objects to only apply to where it is set?

Basically looking for a way to do what we had done in VMWare which involved using the do not propagate permission setting.

be able
Seems to me that right now there is no way to set this so if i give access to something at the top level of a DC those accesses wlll overide if i then explcitly set another role and permission on an object underneath

Lets take as a concrete example the ovirtmgmt network. I do not want users in the engine to be able to place VMs on this (but i want the Superusers to be able to still) How can i accomplish this with the way roles and permissions work with Ovirt?

There is an entity named Vnic Profile under the Network element.

When creating the Vnic Profile, you can define if you'd want it to be 'publicly' used or not.

In case you select the 'Public Use' option, a public permissions (permissions to a special inner user called EVERYONE) is granted on that profile.

See attached screenshot of that profile:

However, if the VM was already created and has a nic attached to 'ovirtmgmt', the admin will need to remove or replace the profile of the restricted network.

thanks!
Brian
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PY6ZITVTLFNXFXN7PQ6TO46UMTVOGB23/

Regards,

Moti