GitHub user GutoVeronezi added a comment to the discussion: Get Rid of Account "Types"? and just use "Roles"?
@MI-DROZ @rohityadavcloud (cc @DaanHoogland) This is an interesting discussion. One point that was not mentioned is that "account types" have another part in the system: they delimit the scope of access to resources. Accounts of type `RootAdmin` can manage the infra, resources and access for all accounts and projects; accounts of type `DomainAdmin` can manage resources and access to their domain and subdomains; accounts of type `User` can only manage their own resources and projects that their accounts belong to. If we remove this mechanism, we will not have a way to define the scope of access of the accounts. I believe it makes sense to not define default permissions by account type and let it be managed by the role's rules alone (with perhaps an exception: IMO, some APIs related to the management of the infra should not be accessible by `User` and `DomainAdmin` types even if their roles' rules allow it); however, we still need them to define the scope of access. Regarding the points @MI-DROZ mentioned in the description, I believe they require some adjustments and tweaks in the system rather than a rework. Adding the `roleid` parameter to `link domaintoldap` on its own should be simple, like it was pointed out in https://github.com/apache/cloudstack/discussions/10380#discussioncomment-14178956. GitHub link: https://github.com/apache/cloudstack/discussions/10380#discussioncomment-14180009 ---- This is an automatically sent email for users@cloudstack.apache.org. To unsubscribe, please send an email to: users-unsubscr...@cloudstack.apache.org
