Hi there, In working with RBAC design, I am really puzzled by the two query parameter "listAll" and "recursive" for all BaseListDomainResourceCmd.
@Parameter(name = ApiConstants.LIST_ALL, type = CommandType.BOOLEAN, description = "If set to false, " + "list only resources belonging to the command's caller; if set to true - list resources that the caller is authorized to see. Default value is false") private Boolean listAll; @Parameter(name = ApiConstants.IS_RECURSIVE, type = CommandType.BOOLEAN, description = "defaults to false," + " but if true, lists all resources from the parent specified by the domainId till leaves.") private Boolean recursive; IMHO, if a caller invokes a list API without passing any specific query parameter, he/she should see all resources that he/she is authorized to see. In CloudStack, we have implicit authorization rules as follows: 1. Root admin should be able to see all the resources under Root domain. 2. Domain admin should be able to see all the resources under its own domain tree. 3. Normal user should only see the resources owned by him. 4. Project account should be able to see resources assigned to that project. Based on current AccountManager.buildACLSearchParameters implementation, we are not observing the passed "listAll" and "recursive" value at all, seems always treating "listAll=true" and "recursive=true". Thus, I am proposing that we change the default value of "listAll" and "recursive" to TRUE instead of current FALSE. Any objections? Thanks -min