Glad your sorted, I've added a bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=1656794 basically Webadmin allows you to add a system permission to the everyone group but you can't remove it. Regards, Paul S. ________________________________ From: Jacob Green <jgreen@aasteel.com> Sent: 05 December 2018 17:45 To: Staniforth, Paul Cc: users Subject: Re: [ovirt-users] The built in group Everyone is troublesome. Thank you for your help! This worked flawlessly and helped me understand the engine database a little more! On 12/04/2018 12:00 PM, Staniforth, Paul wrote: Get the id for the everyone group https://engine.example.com/ovirt-engine/api/groups?search=everyone Get the id for the UserRole https://engine.example.com/ovirt-engine/api/roles connect to the engine database e.g. psql -h localhost -U engine -d engine select * from permissions where ad_element_id='groupid'; note the id of the permission, probably the last one but you can check by the role_id then delete the permission. delete from permissions where id='noted before'; you should make a backup of your system before you do this. Regards, Paul S. ________________________________ From: Staniforth, Paul Sent: 04 December 2018 17:23 To: Jacob Green Subject: Re: [ovirt-users] The built in group Everyone is troublesome. Yes, that's not good you need to remove the UserRole system permission but they fixed it so you can't. https://bugzilla.redhat.com/show_bug.cgi?id=1366205 I think there maybe a bug that allows you to add system permissions to the everyone group in 4.2, you're only supposed to be able to change the permissions with a dbscript. I'll look up my notes on how to remove the permission from the DB. Regards, Paul S. ________________________________ From: Jacob Green <jgreen@aasteel.com><mailto:jgreen@aasteel.com> Sent: 04 December 2018 16:59 To: Staniforth, Paul Subject: Re: [ovirt-users] The built in group Everyone is troublesome. [cid:part4.8299F0E7.9C1866EA@aasteel.com] If the picture does not come through. The following are the permisstions Group > Everyone Everyone > Role - UserRole,UserProfileEditor Object : (System) On 12/04/2018 10:20 AM, Staniforth, Paul wrote: What are the permissions for the group everyone, in particular the system permission should be just UserProfileEditor. Regards, Paul S. ________________________________________ From: Jacob Green <jgreen@aasteel.com><mailto:jgreen@aasteel.com> Sent: 04 December 2018 15:20 To: users Subject: [ovirt-users] The built in group Everyone is troublesome. So all my VMs are inheriting system permissions from group everyone and giving all my users access to all my VMs, in ovirt 4.2. Is there a best practices guide or any recommendation on how to clear this up? Clicking remove on everyone does not work because Ovirt won't allow me to remove a built in account. Thank you -- Jacob Green Systems Admin American Alloy Steel 713-300-5690 _______________________________________________ Users mailing list -- users@ovirt.org<mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org<mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/A5MW7PLHH5YGBV... To view the terms under which this email is distributed, please go to:- http://leedsbeckett.ac.uk/disclaimer/email/ -- Jacob Green Systems Admin American Alloy Steel 713-300-5690 To view the terms under which this email is distributed, please go to:- http://leedsbeckett.ac.uk/disclaimer/email/ -- Jacob Green Systems Admin American Alloy Steel 713-300-5690 To view the terms under which this email is distributed, please go to:- http://leedsbeckett.ac.uk/disclaimer/email/