[ovirt-users] Users seeing all vm's

Einav Cohen ecohen at redhat.com
Tue May 6 20:45:10 UTC 2014 

Hi Jeff, 

* I assume that we are talking about the User Portal, 
not the web-admin (to which the user cannot even log 
into, according to the permissions that you specified). 

* a permission is a triplet of role, user and object. 
according to what you are saying, the user's permission is: 
- role: Copy_of_UserRole [contains "Remote Log" only (???)]
- user: user
- object: ??? 

what is the object with which the user's permission 
is associated? I suspect it is "System", which would 
explain why the users sees all of the VMs in his user-
portal (permissions inheritance, as you suspected: all 
VMs are "descendants" of "System", therefore permissions 
on "System" are propagated to the VMs within the system)

* are there any additional permissions for this user? a 
screen-shot of the user's "Permissions" sub-tab in the 
User's main tab in the web-admin would be helpful. 

* does the user belong to any group that has permissions 
on the system? if so, this user could be inheriting these 
permissions from that group. 

* are you sure that the "Copy_of_UserRole" role contains 
only the "Remote Log" action? if not - that can explain 
why the user is able to perform actions on the VMs other 
than "Remote Log". 

----
Thanks,
Einav



----- Original Message -----
> From: "Jeff Clay" <jeffclay at gmail.com>
> To: users at ovirt.org
> Sent: Tuesday, May 6, 2014 4:32:28 PM
> Subject: [ovirt-users] Users seeing all vm's
> 
> For some reason, when logged in as a user with a modifed copy role of
> UserRole (only has login permssion and VM -> Basic Operations -> Remote Log
> In permission) the user can see all of the VM's and has the ability to open
> a console, start, shutdown or suspend any of the VM's. I have verified that
> all of the VM's only show the SuperUser role in their permissions. I went
> through all of the roles and verified that the user is only a member of the
> Copy_of_UserRole. The only thing I can think of is that the user is
> inheriting permissions from something, but I can't find what it is or
> where. Any suggestions?
> 
> Thanks.
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list