Hi everyone,

I’d like to raise a question regarding the “Read-Only User” role as
described in the CloudStack documentation:

https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#read-only-user

According to the docs, this role is intended to grant users visibility into
resources, without allowing them to modify anything — which is perfectly
reasonable in principle.

However, in practice, I’ve found the role to be quite unusable in most
real-world scenarios. Here’s why:

- A user under an account assigned the “Read-Only User” role can see
resources created within that same account — including those created by
other users of the same account — but cannot create any resources
themselves.
- This limitation means that such users are essentially locked out of any
action.
- If all users in the account inherit the read-only role, then no one in
the account is able to provision anything — reducing the role to a purely
passive viewer state.

This seems contradictory: while the role is meant to allow non-disruptive
observation of resources, in practice it’s extremely limited and offers
very little real utility unless the account also includes other users with
more privileged roles.

To be clear: I understand that CloudStack supports dynamic roles and that
custom roles can be defined to fit specific use cases. My point here is
that the default “Read-Only User” role, as shipped, seems to have very
limited applicability — and I wonder if anyone is actually using it in
production.

I’d be very interested in hearing your thoughts. Is there a common use case
I might be overlooking? Has anyone adapted this role successfully in
practice?





Best regards,

-- 
Fernando.

Reply via email to