There was some discussion about a new RBAC framework sometimes back. It should have some provision to address the below use case.
On 08-Oct-2013, at 10:55 PM, Nitin Mehta <nitin.me...@citrix.com> wrote: > Chris - Thanks for putting in the use case. > As you said suggestion 1 fits in fine for your use case. > One clarification though - would you be creating the vms as an admin and > then using assignVirtualMachine to assign the vms to the end user ? > This is preferable for vm usage calculations. > > Thanks, > -Nitin > > On 07/10/13 8:01 PM, "Chris Sciarrino" <chris.sciarr...@gmail.com> wrote: > >> Hi Nitin, >> >> For our use case we would be looking at having a separate "deployment >> portal" which would get the user to provide the necessary information >> for deploying their instance i.e template, ram, cpu etc and would >> create a work order for the administrators to do the deployment. When >> the instance is created, the administrator would assign it to the >> users account in cloudstack so that they can still power on, view the >> console take snapshots etc. >> >> I am trying to prevent regular users from going in and deploying >> instances through cloudstack, these should come in as requests through >> the portal. Only Root admin or domain admin accounts should be able to >> deploy virtual machines. >> >> Let me know if you need any clarification on the use case. >> >> I believe the first suggestion you made will fix the issue. I can set >> the permissions to to root and domain admins which should suffice. >> >> Thanks >> >> Chris >> >> On Mon, Oct 7, 2013 at 1:55 PM, Nitin Mehta <nitin.me...@citrix.com> >> wrote: >>> You can change the deployVirtualMachine Api attributes to ROOT admin >>> only(currently allowed to all). You can change that in >>> commands.properties.in >>> >>> There is something else as well which you can leverage and see if it >>> fits >>> your use case. >>> In current code base, admin can create vm instances using the flag - >>> displayvm=false on behalf of the users. >>> This flag will hide these resources to the end users. The ROOT volume >>> can >>> be made visible through the display volume flag and the end user can >>> create snapshots on them. >>> >>> It would be great to if you can write down your use case and its use. >>> >>> Let me know if any of the solution fits for you. >>> >>> Thanks, >>> -Nitin >>> >>> On 07/10/13 9:37 AM, "Chris Sciarrino" <chris.sciarr...@gmail.com> >>> wrote: >>> >>>> Hi, >>>> >>>> Is it possible to prevent users from deploying their own instances but >>>> still have access to cloudstack for creating snapshots and powering >>>> on/off >>>> etc? Their instances would be assigned from an admin account. I see the >>>> option on the user account for instance limits, but setting that to 0 >>>> prevents me from assigning VMs. Just wondering if there is another way >>>> to >>>> do it on CS 4.2. >>>> >>>> Thanks >>> >
