Hi Jeff, * I assume that we are talking about the User Portal, not the web-admin (to which the user cannot even log into, according to the permissions that you specified). * a permission is a triplet of role, user and object. according to what you are saying, the user's permission is: - role: Copy_of_UserRole [contains "Remote Log" only (???)] - user: user - object: ??? what is the object with which the user's permission is associated? I suspect it is "System", which would explain why the users sees all of the VMs in his user- portal (permissions inheritance, as you suspected: all VMs are "descendants" of "System", therefore permissions on "System" are propagated to the VMs within the system) * are there any additional permissions for this user? a screen-shot of the user's "Permissions" sub-tab in the User's main tab in the web-admin would be helpful. * does the user belong to any group that has permissions on the system? if so, this user could be inheriting these permissions from that group. * are you sure that the "Copy_of_UserRole" role contains only the "Remote Log" action? if not - that can explain why the user is able to perform actions on the VMs other than "Remote Log". ---- Thanks, Einav ----- Original Message -----
From: "Jeff Clay" <jeffclay@gmail.com> To: users@ovirt.org Sent: Tuesday, May 6, 2014 4:32:28 PM Subject: [ovirt-users] Users seeing all vm's
For some reason, when logged in as a user with a modifed copy role of UserRole (only has login permssion and VM -> Basic Operations -> Remote Log In permission) the user can see all of the VM's and has the ability to open a console, start, shutdown or suspend any of the VM's. I have verified that all of the VM's only show the SuperUser role in their permissions. I went through all of the roles and verified that the user is only a member of the Copy_of_UserRole. The only thing I can think of is that the user is inheriting permissions from something, but I can't find what it is or where. Any suggestions?
Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users