Hi All,

@Roy, yes, that's excatly what I'm referring to. It's "ugly" to show the unauthorized message each time a user will try to edit the VM, better to hide it or put it as Grayed.

Thank you Greg.

Best regards
 

On Wed, May 16, 2018 at 1:14 PM, Greg Sheremeta <gshereme@redhat.com> wrote:


On Wed, May 16, 2018 at 9:09 AM, Roy Golan <rgolan@redhat.com> wrote:
On Wed, 16 May 2018 at 16:01 Aziz <azizgstest@gmail.com> wrote:
Hi All,

Thank you Roy, this is working now as expected, however, I think the Edit button, should  be removed for this user, there is no need to display the edit button if the user cannot use it to perform any operation, am I missing something ?

You mean in the VM portal the user sees  he can edit a VM when he doesn't have permission to? I assume we don't go to a resolution of button per permission ( +Greg Sheremeta  right? )
Instead the user would get and error from the engine that he isn't authorized to perform this action.

In both Administration Portal and VM Portal, we generally don't have pre-flight checks to see if users have access to buttons. There is an existing RFE, 
Bug 1221694 – [RFE] Role based views in webui

Greg
 

Best regards

On Wed, May 16, 2018 at 9:12 AM, Peter Hudec <phudec@cnc.sk> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have found 2 related bug, a little bit older

https://bugzilla.redhat.com/show_bug.cgi?id=1209505
https://bugzilla.redhat.com/show_bug.cgi?id=1225274

But these are related only to DiskProfile.

I haven't found any work about 'Everyone' group in documentation, so
I'm little bit confused why there is such a group.

        Peter

On 15/05/2018 23:02, Peter Hudec wrote:
> Hi,
>
> I'm fancing the same problem.
>
> The steps are - create user /tester/ using the ovirt-aaa-jdbc-tool
>  - login as admin into admin portal - add tester user in
> Administation -> Users - choose one VM and add UserRole role
>
> - login as testr into User Potal - user could see all VM..
>
> The problem could be, that the user is part of the group Everyone
> and this group could be found in Administration -> Configure >
> System Permissions. When you check the group permisson, it seems
> to be automatically populated by engine.
>
> In  my case I[m using default DC, default cluster and 'internal'
> profile .
>
> Seems that all engine object is included in Everyone group.
>
> regards Peter
>
> On 15/05/2018 22:03, Roy Golan wrote:
>
>
>> On Tue, 15 May 2018 at 21:47 Aziz <azizgstest@gmail.com
>> <mailto:azizgstest@gmail.com>> wrote:
>
>> Hi Roy,
>
>> Thanks for your feedback, I'm unable to remove the user from the
>> cluster, I used the command "|ovirt-aaa-jdbc-tool user add|" to
>> add the new user, and it seems that by default it took all
>> permissions over the cluster. Is there any document describing
>> this feature in details ?
>
>
>
>> In the webadmin go to Administration -> Configure > System
>> Permissions. If the user is there, remove him. Then search for
>> the VM and add permissions to the user on the VM Check your end
>> result in the 'permisions' section of the VM to see who has
>> permissions on it.
>
>> This should be helpful, quite long though
>> https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/
>
>>
>>
>
> This is for the tool itself
>> https://www.ovirt.org/develop/release-management/features/infra/aaa-j
d
>
>>
>>
bc/
>
>
>
>
>> Thanks
>
>> On Tue, May 15, 2018 at 6:31 PM, Roy Golan <rgolan@redhat.com
>> <mailto:rgolan@redhat.com>> wrote:
>
>> 1. Make sure your users use the VM portal 2. Assign permission on
>> VM to a certain user to make sure it apears in the portal. The
>> Role should be VmOperator afaik.
>
>> Permission set on objects higher in the hierarchy are cascading,
>> i.e a user with permission on a cluster would have the permission
>> on the all the vm in cluster.
>
>
>> On Tue, 15 May 2018 at 20:59 Aziz <azizgstest@gmail.com
>> <mailto:azizgstest@gmail.com>> wrote:
>
>> Hi list,
>
>> I'm trying to remove the default "everyone" user from Ovirt, so
>> that each user can have access to its own interface to manage a
>> unique VM. I wonder if this is possible, because so far I'm
>> unable to remove everyone user.
>
>> Thank you
>
>
>> _______________________________________________ Users mailing
>> list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe
>> send an email to users-leave@ovirt.org
>> <mailto:users-leave@ovirt.org>
>
>
>
>
>> _______________________________________________ Users mailing
>> list -- users@ovirt.org To unsubscribe send an email to
>> users-leave@ovirt.org
>
>
>
>

- --
*Peter Hudec*
Infraštruktúrny architekt
phudec@cnc.sk <mailto:phudec@cnc.sk>

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEqSUbhuEwhryifNeVQnvVWOJ35BAFAlr79fIACgkQQnvVWOJ3
5BBGXxAAsa0Rhs+bCisRfnD665bvRpA81yoRRJQFVYSnDZOqWVZzzTsnY4CtBAOM
MG4CTvbvHXHCL304O0a4xBqpwINzcXSieyx2Vqbcxe2Fq+VRqRgq+z+3wm1L26Eb
6KraPpTlieXmbvYD2Wfu8PcGS1JFwS37FnV98EadiPCahPO7JQUBRLaErQZvi986
BZ7x/qUZWk5C4sEkP+eCM/94u3ZaMB4LSLXJqvHLpRYEGs1aOc4xhrxWVO2HLc4t
aaVveS40rufogjjHzV0E++fx9XFpHpIHwfG8DsVZsIz5yyq9qQz+mt0gmvM7A81m
myJQit/bQ/9j/ew/7pJNKtmv4fOB4hkCrn9tgLyhc9JIvRGmG9zymMloXdSAWvqr
eKSsVOcInmgb+gsKS0upIR+Ow3zGeUzwkHdqTJAtNtyg66DpNKvT2B010t86vO9z
4ggTVcMG/+Y2c3Zu78yCSSI+0rO/R+kSTL/v8QlCk5ke4OW5iXNEIFhuUZY8905U
OesB27XqXdJtZibaL6YGNG3f8GcaQgNhkGPmzVxIge+KQNwLOyV4VIJaYEFAiJgz
H2OIGzKKk97OhWmRm68NUYebdyG6Pi6SL2M3fhzb0Qn/YiUCr/GygQfd455ok81e
tF5UxMz1mHSN9UQV30GaPy+pR70bh3AF83E4vmjznKAmhspBB68=
=7qJi
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org



--

GREG SHEREMETA

SENIOR SOFTWARE ENGINEER - TEAM LEAD - RHV UX

Red Hat NA

gshereme@redhat.com    IRC: gshereme