cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pranav Saxena <>
Subject RE: [Discuss] - Domain admin not having the flexibility to create sub-domains/sub-child domains/accounts
Date Mon, 20 May 2013 04:11:08 GMT
I had raised this concern sometime back and I believe , this might be taken up for some future
apache CloudStack release ( may be 4.2 or later) . If you are willing to take this up  , please
go ahead :). 

-----Original Message-----
From: [] 
Sent: Monday, May 20, 2013 8:38 AM
Subject: Re: [Discuss] - Domain admin not having the flexibility to create sub-domains/sub-child

Dear all,

I have recently trying the functionality of CloudStack 4.0.2, and encountered the exact same

A domain admin has NOT MUCH MORE POWER than a regular user. They can not create the user accounts
or sub-domain under their domain. Nor can they "manage" such accounts by disabling/deleting/resource
limiting them. A domain admin does have the power of fully-accessing the "resources"
(instances, volumes, security groups, etc.) of the whole domain, and nothing else.

In my understanding, currently a domain admin's privilege is just the UNION of all the USER'S
privileges under the same domain, but without any ADMIN POWER. This is inconsistent with the
documentation, Internet articles, or common sense. And will be a major issue in a real production
Most of the admin jobs still require the power of "root" admin.

I searched JIRA, but only found this related issue: CLOUDSTACK-1915: Domain Administrator's

On Tue, Apr 23, 2013 at 2:05 AM, Alena Prokharchyk <> wrote:

> On 4/22/13 10:47 AM, "Chip Childers" <> wrote:
> >On Mon, Apr 22, 2013 at 11:22:16AM +0000, Pranav Saxena wrote:
> >> Hi,
> >>
> >> Currently only the ROOT-admin has the power to create any 
> >>domains/sub-domains/sub-child domains for himself or the domain-admin .
> >>But there are certain situations ( like updating resource limit for 
> >>a sub-child domain under a domain admin ) for which the ROOT-admin 
> >>has to create a sub-child domain for a domain admin to allow him to 
> >>update the resource limits for that particular sub-child domain.
> >>
> >> With this in mind , why hasn't the domain -admin been given the 
> >>privilege of creating sub-child domains himself ? Are there any 
> >>concerns/threats because of which the current architecture doesn't 
> >>serve this purpose ?
> >>
> >> Also , a domain-admin cannot create an account on his own using an 
> >>API as well ( UI can be overlooked for now) . He has to go through 
> >>the ROOT-admin to have this functionality enabled . So doesn't that 
> >>conclude that domain-admin is almost a USELESS guy with *No powers*  
> >>. To be able to navigate from step 1 - > step  2 , you have to go 
> >>through step 3 which seems to be unconvincing at times .
> >>
> >> Could someone explain about why such a functionality is not 
> >>supported in the current architecture ? Please let me know in case I 
> >>am missing something here.
> >>
> >> Thanks,
> >> Pranav
> >
> >This never made much sense to me.
> >
> I remember seeing a feature request for this functionality somewhere 
> on CS Jira, you might try to locate it and check the status/targeted release.
View raw message