[ovirt-users] VM Permissions (3.6)

[Oved Ourfali]

Hi Alexis,

Permissions in oVirt consist of three parts:
1. The user/group
2. The role
3. The object

So, if you want a user to be able to "use" a VM, it should be enough to
grant him a UserRole on the VM object (no need to go to the system
preferences for that one).
If you want a user to be the owner of a VM (allows more actions on that VM
than UserRole), then you should grant him with UserVmManager on the VM
object.

The role itself consists of actions that are allowed to be done with it.
You can view these actions in the UI through the system preferences dialog.

When you grant permissions on the system preferences dialog, then it means
the "object" you grant on is the "system" object, which is in the higher
part of the objects tree.
Normally you won't need that for users.

As for managing permissions, it can be done either via the UI, or the API,
or one of the SDKs.
I guess it is a matter of preference and needs.

Cheers,
Oved


On Sun, Mar 5, 2017 at 1:51 PM, Alexis HAUSER <
alexis.hauser at imt-atlantique.fr> wrote:

> hi, I'm trying to figure out how to manage VM permissions with ovirt.
> From what I've understood, if you add a user to user role in the system
> preferences, this user can access every VM and resources on the cluster,
> with the associated permissions; right ?
> Now, if I want to control who has access to each VM : I musn't add this
> user to user role from the system tab; but instead add it on each resources
> (like on each VM) it should access ?
>
> Is there another way to manage permissions ? How you guys do personally
> manage this ? Do you automate it with scripts ?
>
> Thanks for you ideas and suggestions
>
> (using 3.6)
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170306/00dc4fc8/attachment.html>