Hi everyone, I’d like to raise a question regarding the “Read-Only User” role as described in the CloudStack documentation:
https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#read-only-user According to the docs, this role is intended to grant users visibility into resources, without allowing them to modify anything — which is perfectly reasonable in principle. However, in practice, I’ve found the role to be quite unusable in most real-world scenarios. Here’s why: - A user under an account assigned the “Read-Only User” role can see resources created within that same account — including those created by other users of the same account — but cannot create any resources themselves. - This limitation means that such users are essentially locked out of any action. - If all users in the account inherit the read-only role, then no one in the account is able to provision anything — reducing the role to a purely passive viewer state. This seems contradictory: while the role is meant to allow non-disruptive observation of resources, in practice it’s extremely limited and offers very little real utility unless the account also includes other users with more privileged roles. To be clear: I understand that CloudStack supports dynamic roles and that custom roles can be defined to fit specific use cases. My point here is that the default “Read-Only User” role, as shipped, seems to have very limited applicability — and I wonder if anyone is actually using it in production. I’d be very interested in hearing your thoughts. Is there a common use case I might be overlooking? Has anyone adapted this role successfully in practice? Best regards, -- Fernando.
