<div dir="ltr">I figured it out. I was using Configure -> System Permissions to add my users and assign them to roles. Removing the users from there and adding them under the Permissions tab on the actual object did what I wanted it to.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 7, 2014 at 10:14 AM, Jeff Clay <span dir="ltr"><<a href="mailto:jeffclay@gmail.com" target="_blank">jeffclay@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks, that clarifies quite a bit. The permissions are being applied to "System" for the regular UserRole, but I don't see where to define what objects the roles are assigned to.</div><div class="HOEnZb">
<div class="h5"><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, May 7, 2014 at 2:28 AM, Oved Ourfalli <span dir="ltr"><<a href="mailto:ovedo@redhat.com" target="_blank">ovedo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Jeff<br>
<br>
Roles determine two things:<br>
1. What the user can see<br>
2. What the user can do<br>
<br>
It is important to know on who is the user, what is the role (UserRole? as you also mentioned SuperUser?) and on what object(s) was the role granted on.<br>
Assuming it is UserRole, on a specific user, then:<br>
If on a VM, then the user can see/operate on this VM.<br>
If on a Cluster, then the user can see/operate on all the VMs in this cluster.<br>
If on a DC, then the user can see/operate on all the VMs in clusters that are part of this DC.<br>
If on System, then the user can see/operate on all the VMs in the system.<br>
<br>
So the hierarchy is System-->DC-->Cluster-->VM.<br>
I hope this clarifies you question.<br>
<br>
Regards,<br>
Oved<br>
<div><div><br>
<br>
----- Original Message -----<br>
> From: "Jeff Clay" <<a href="mailto:jeffclay@gmail.com" target="_blank">jeffclay@gmail.com</a>><br>
> To: <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
> Sent: Monday, May 5, 2014 10:31:53 PM<br>
> Subject: [ovirt-users] user portal permissions<br>
><br>
> For some reason, when logged in as a user with a modifed copy role of<br>
> UserRole (only has login permssion and VM -> Basic Operations -> Remote Log<br>
> In permission) the user can see all of the VM's and has the ability to open<br>
> a console, start, shutdown or suspend any of the VM's. I have verified that<br>
> all of the VM's only show the SuperUser role in their permissions. I went<br>
> through all of the roles and verified that the user is only a member of the<br>
> Copy_of_UserRole. The only thing I can think of is that the user is<br>
> inheriting permissions from something, but I can't find what it is or where.<br>
> Any suggestions?<br>
><br>
> Thanks.<br>
><br>
</div></div>> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>