On Wed, 12 Dec 2018 15:25:56 -0000 "Brian Wilson" <briwi...@cisco.com> wrote:
> Is there a way to prevent Roles Assigned to Groups on Objects to only apply > to where it is set? > > > Basically looking for a way to do what we had done in VMWare which involved > using the do not propagate permission setting. > > > be able > Seems to me that right now there is no way to set this so if i give access to > something at the top level of a DC those accesses wlll overide if i then > explcitly set another role and permission on an object underneath > > > Lets take as a concrete example the ovirtmgmt network. I do not want users > in the engine to be able to place VMs on this (but i want the Superusers to > be able to still) How can i accomplish this with the way roles and > permissions work with Ovirt? > The attachment of logical networks to VMs is manged in oVirt by "vNIC Profiles". The Boolean property "Public" of vNIC Profiles enables simple permission management to allow or deny the attachment of the logical network to a VM by Users. If "Public" is set, all Users are allowed to attach the related logical network to the VMs he/she is allowed to manage. If "Public" is not set, only Users/Administrators with the required permissions (e.g. "Assign vNIC Profile to VM") are allowed to attach the logical network to a VM. If you want to prevent users in the Engine to be able to place VMs on ovirtmgmt, you have to remove this "Public" permissions from the ovirtmgmt object. In the web UI, this can be done like this: In Administration > Configure > Roles Select the role "VnicProfileUser". This will show a table of the allowed User-Object pairs. Select the pair of the user "Everyone" and the "Object" ovirtmgmt and remove this pair. This will prevent users attaching their VMs to ovirtmgmt. Please make sure that there are no additional permissions on ovirtmgmt and/or its vNic Profile that violates the desired permissions level. However, if the VM was already created and has an interface attached to 'ovirtmgmt', these attainments has to be removed or replaced manually. > > thanks! > Brian > _______________________________________________ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/PY6ZITVTLFNXFXN7PQ6TO46UMTVOGB23/ _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6YZDHOSHHQPIVYYTFFHEW7NPRT2CX45D/
