That could be a bug. As far as I know domain-admins should be limited as well.
Will > -----Original Message----- > From: Clayton Weise [mailto:cwe...@iswest.net] > Sent: Friday, June 15, 2012 9:50 AM > To: 'cloudstack-...@incubator.apache.org'; 'cloudstack- > us...@incubator.apache.org' > Subject: RE: Construct / change role permissions > > With regard to the subject of roles. I've noticed that domain admins do not > have limits enforced. So if a domain is limited to 10 snapshots, a domain > admin > can create 11. And because limits cannot be imposed, as far as we're > concerned, this type of user is pretty much useless because we have no way to > control what it can do. Is this by design? And if so, why and is there a > way it can > be changed so that domain admins can have limits enforced? > > Thanks, > Clayton > > >-----Original Message----- > >From: Will Chan [mailto:will.c...@citrix.com] > >Sent: Friday, June 15, 2012 9:32 AM > >To: cloudstack-...@incubator.apache.org; > >cloudstack-users@incubator.apache.org > >Subject: RE: Construct / change role permissions > > > >You are correct that Cloudstack has created essentially three static roles > >today. > The most you can do today is to allow/disallow API commands to each role via > the commands.properties file. > > > >It has been something that has been requested many times before, however, > most production systems that go live on CloudStack typically are fronted by > some type of "portal." These portals are the ones that decide permissions for > each user type. Essentially, it's the user role that require a bit more > flexibility as > the other two roles are pretty standard. > > > >I do know that Citrix is working on contributing back some refactoring work > >on > the domain and user ACL checklist so you might want to wait for that first. > > > >Will > > > >> -----Original Message----- > >> From: Olga Smola [mailto:olya.sm...@gmail.com] > >> Sent: Friday, June 15, 2012 1:02 AM > >> To: cloudstack-...@incubator.apache.org; cloudstack- > >> us...@incubator.apache.org > >> Subject: Construct / change role permissions > >> > >> Hi, > >> > >> I would like to discuss CloudStack roles capabilities. As far as I > >> understand, there are 3 distinct roles and there is no possibility to > >> change any > role permissions. > >> Sometimes it's not so comfortable for situation when it is needed to > >> allow some action from one role to another one. For example, if you > >> would like to allow USER new action "Add account", you can't. Because > >> there is no API command for USER. What about new roles? > >> Have you got any ideas how to extend the CloudStack mechanism of > >> roles creation? It will be more convenient if there is something that > >> allow to create custom roles with needed permissions. For example, > >> give basic role ADMIN or USER and then create new role based on it, change > permissions(remove, add). > >> Something like Role's constructor. > >> Also I would like to know if somebody else needs similar extension? > >> > >> Fill free to write any ideas. > >> > >> Thanks a lot, > >> Olga
