Hi, Thanks for the info, it was very useful. I'm still having two issues:
1. The default group of a new user is the same as the creating user's one. I would like to have new users in the "users" group by default. Is there a way to change this behavior? 2. In Sunstone, the user doing the user management does not see the existing groups even though he ought to. I created an ACL "#<user_id> GROUP/* USE+MANAGE+ADMIN", but still the list of groups I can assign to a user through Sunstone is empty (Even the string "Please select" does not appear). On the command line, a "oneuser chgrp" works flawlessly using this account, so I guess it's a bug in Sunstone. Greetings Wilma 2014-04-04 10:34 GMT+02:00 Carlos Martín Sánchez <[email protected]>: > Hi, > > Adding to what Rubén said, the acl modification is only allowed for users in > the oneadmin group. > > Make sure you use the reference command-auth tables in the xml-rpc doc [1] > to create your rules. > > For example, oneuser passwd requires USER:MANAGE. The rule "#<user_id> > USER/* USE+MANAGE+ADMIN" will allow your user to change oneadmin's password. > In this case, you will want to create a rule targeting each group (excluding > oneadmin). > > Regards > > [1] > http://docs.opennebula.org/4.4/integration/system_interfaces/api.html#authorization-requests-reference > -- > Carlos Martín, MSc > Project Engineer > OpenNebula - Flexible Enterprise Cloud Made Simple > www.OpenNebula.org | [email protected] | @OpenNebula > > > On Thu, Apr 3, 2014 at 2:19 PM, Ruben S. Montero <[email protected] > > wrote: >> >> Hi >> >> Probably, the following may work... >> >> oneacl create "#<user_id> USER/* CREATE" >> oneacl create "#<user_id> USER/* USE+MANAGE+ADMIN" >> >> Take a look to the ACL guide for more info: >> >> >> http://docs.opennebula.org/4.4/administration/users_and_groups/manage_acl.html >> >> Cheers >> >> Ruben >> >> >> >> On Thu, Apr 3, 2014 at 12:08 PM, Wilma Hermann <[email protected]> >> wrote: >>> >>> Hi, >>> >>> Is it possible to assign limited admin rights to certain accounts? I >>> would like to have a user that is allowed to do all the user >>> management (creating users, adding users to existing groups, etc.) >>> without adding this user to the oneadmin-group. In particular, I would >>> like to deny this user access to all other users' VMs, templates, >>> images, etc. The user also shouldn't have write-access to the ACLs >>> (otherwise limits would make no sense obviously). >>> >>> Greetings >>> Wilma >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >> >> >> >> -- >> -- >> Ruben S. Montero, PhD >> Project co-Lead and Chief Architect >> OpenNebula - Flexible Enterprise Cloud Made Simple >> www.OpenNebula.org | [email protected] | @OpenNebula >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
