On 6/15/12 9:49 AM, "Clayton Weise" <cwe...@iswest.net> wrote:
>With regard to the subject of roles. I've noticed that domain admins do >not have limits enforced. So if a domain is limited to 10 snapshots, a >domain admin can create 11. And because limits cannot be imposed, as far >as we're concerned, this type of user is pretty much useless because we >have no way to control what it can do. Is this by design? It was designed that way from the beginning. But you are right - domain admin should respect the limits as he doesn't own the system, and there should be a way to control his resources. Can you please file a CS bug on this regard. Thanks, -Alena. >And if so, why and is there a way it can be changed so that domain admins >can have limits enforced? > >Thanks, >Clayton > >>-----Original Message----- >>From: Will Chan [mailto:will.c...@citrix.com] >>Sent: Friday, June 15, 2012 9:32 AM >>To: cloudstack-dev@incubator.apache.org; >>cloudstack-us...@incubator.apache.org >>Subject: RE: Construct / change role permissions >> >>You are correct that Cloudstack has created essentially three static >>roles today. The most you can do today is to allow/disallow API >>commands to each role via the commands.properties file. >> >>It has been something that has been requested many times before, >>however, most production systems that go live on CloudStack typically >>are fronted by some type of "portal." These portals are the ones that >>decide permissions for each user type. Essentially, it's the user role >>that require a bit more flexibility as the other two roles are pretty >>standard. >> >>I do know that Citrix is working on contributing back some refactoring >>work on the domain and user ACL checklist so you might want to wait for >>that first. >> >>Will >> >>> -----Original Message----- >>> From: Olga Smola [mailto:olya.sm...@gmail.com] >>> Sent: Friday, June 15, 2012 1:02 AM >>> To: cloudstack-dev@incubator.apache.org; cloudstack- >>> us...@incubator.apache.org >>> Subject: Construct / change role permissions >>> >>> Hi, >>> >>> I would like to discuss CloudStack roles capabilities. As far as I >>>understand, there >>> are 3 distinct roles and there is no possibility to change any role >>>permissions. >>> Sometimes it's not so comfortable for situation when it is needed to >>>allow some >>> action from one role to another one. For example, if you would like to >>>allow >>> USER new action "Add account", you can't. Because there is no API >>>command >>> for USER. What about new roles? >>> Have you got any ideas how to extend the CloudStack mechanism of roles >>> creation? It will be more convenient if there is something that allow >>>to create >>> custom roles with needed permissions. For example, give basic role >>>ADMIN or >>> USER and then create new role based on it, change permissions(remove, >>>add). >>> Something like Role's constructor. >>> Also I would like to know if somebody else needs similar extension? >>> >>> Fill free to write any ideas. >>> >>> Thanks a lot, >>> Olga >
