Hi Michal,

On 4/15/20 10:55 AM, Michal Gutowski wrote:
Hi oVirt community,

I'm playing with a multitenant use-case in oVirt 3.4.6... My setup is as follows:
- I have two working Data Centers (DC1 and DC2)
- I created two additional users DC1-admin and DC2-admin
- In DC1 permission settings I've added DC1-admin as a user with a builtin DataCenterAdmin Role.
- In DC2 permission settings I've added DC2-admin as a user with a builtin DataCenterAdmin Role.

Now in terms of permissions all is good: DC1-admin is not able to modify anything in DC2 and DC2-admin is not able to modify anything in DC1.

However in both the Admin Portal and the VM Portal DC1-admin and DC2-admin can still see all other datacenter resources.
My expectation was that if I login to the Admin Portal as e.g. DC2-admin I will only see DC2 datacenter in the GUI and nothing else. Same with VM Portal. I played with different user settings but I couldn't make it work...

DataCenterAdmin is Administrator role and from what I understand these roles can see everything. There is no specific user role similar to this for whole DC. If you use UserVmManager on DC it should be propagated to all VMs in that DC.
Also you can specify your own role in Administration - Configure - Roles.

I think the problem is that whatever user you create it will always belong to the build-in "everyone" group and inherit permission to see everything in the portal.
Is it possible to achieve a scenario where e.g. DC2-admin will login to the Admin Portal and only see resources that belong to DC2 and nothing else?

Thanks,
Michal



_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/KF6PN6WBHPMQ5YKUNI7PU7MSEMIOOXSA/
Best regards,
-- 
Lucie Leistnerova
Senior Quality Engineer, QE Cloud, RHVM
Red Hat EMEA

IRC: lleistne @ #rhev-qe