You are correct that Cloudstack has created essentially three static roles today. The most you can do today is to allow/disallow API commands to each role via the commands.properties file.
It has been something that has been requested many times before, however, most production systems that go live on CloudStack typically are fronted by some type of "portal." These portals are the ones that decide permissions for each user type. Essentially, it's the user role that require a bit more flexibility as the other two roles are pretty standard. I do know that Citrix is working on contributing back some refactoring work on the domain and user ACL checklist so you might want to wait for that first. Will > -----Original Message----- > From: Olga Smola [mailto:olya.sm...@gmail.com] > Sent: Friday, June 15, 2012 1:02 AM > To: cloudstack-...@incubator.apache.org; cloudstack- > us...@incubator.apache.org > Subject: Construct / change role permissions > > Hi, > > I would like to discuss CloudStack roles capabilities. As far as I > understand, there > are 3 distinct roles and there is no possibility to change any role > permissions. > Sometimes it's not so comfortable for situation when it is needed to allow > some > action from one role to another one. For example, if you would like to allow > USER new action "Add account", you can't. Because there is no API command > for USER. What about new roles? > Have you got any ideas how to extend the CloudStack mechanism of roles > creation? It will be more convenient if there is something that allow to > create > custom roles with needed permissions. For example, give basic role ADMIN or > USER and then create new role based on it, change permissions(remove, add). > Something like Role's constructor. > Also I would like to know if somebody else needs similar extension? > > Fill free to write any ideas. > > Thanks a lot, > Olga
