Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: cloudstack-users@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of cweise@iswest.net designates
 207.178.128.122 as permitted sender)
From: Clayton Weise <cweise@iswest.net>
To: "'cloudstack-dev@incubator.apache.org'"
	<cloudstack-dev@incubator.apache.org>,
	"'cloudstack-users@incubator.apache.org'"
	<cloudstack-users@incubator.apache.org>
Subject: RE: Construct / change role permissions
Thread-Topic: Construct / change role permissions
Thread-Index: AQHNSs0TJyuFq6ePCkWfosBYGQqEMJb8CHsA//+OpNA=
Date: Fri, 15 Jun 2012 16:49:39 +0000
Message-ID: <F95EC5DFF06AE04FA54C508ED869D0D26111E3@agcex01.CORP.ISWEST.NET>
References: 
 <CAJkj-8F=sNZ0pppzgDp_7EjeYGan8HHevLmyrU9fVf_4z197Rw@mail.gmail.com>
 <61AE1E2837A06D4A8E98B796183842D401292E779E6A@SJCPMAILBOX01.citrite.net>
In-Reply-To: 
 <61AE1E2837A06D4A8E98B796183842D401292E779E6A@SJCPMAILBOX01.citrite.net>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

With regard to the subject of roles.  I've noticed that domain admins do no=
t have limits enforced.  So if a domain is limited to 10 snapshots, a domai=
n admin can create 11.  And because limits cannot be imposed, as far as we'=
re concerned, this type of user is pretty much useless because we have no w=
ay to control what it can do.  Is this by design?  And if so, why and is th=
ere a way it can be changed so that domain admins can have limits enforced?

Thanks,
Clayton

>-----Original Message-----
>From: Will Chan [mailto:will.chan@citrix.com]
>Sent: Friday, June 15, 2012 9:32 AM
>To: cloudstack-dev@incubator.apache.org; cloudstack-users@incubator.apache=
.org
>Subject: RE: Construct / change role permissions
>
>You are correct that Cloudstack has created essentially three static roles=
 today.  The most you can do today is to allow/disallow API commands to eac=
h role via the commands.properties file.=20
>
>It has been something that has been requested many times before, however, =
most production systems that go live on CloudStack typically are fronted by=
 some type of "portal."  These portals are the ones that decide permissions=
 for each user type.  Essentially, it's the user role that require a bit mo=
re flexibility as the other two roles are pretty standard.
>
>I do know that Citrix is working on contributing back some refactoring wor=
k on the domain and user ACL checklist so you might want to wait for that f=
irst.
>
>Will
>
>> -----Original Message-----
>> From: Olga Smola [mailto:olya.smola@gmail.com]
>> Sent: Friday, June 15, 2012 1:02 AM
>> To: cloudstack-dev@incubator.apache.org; cloudstack-
>> users@incubator.apache.org
>> Subject: Construct / change role permissions
>>
>> Hi,
>>
>> I would like to discuss CloudStack roles capabilities. As far as I under=
stand, there
>> are 3 distinct roles and there is no possibility to change any role perm=
issions.
>> Sometimes it's not so comfortable for situation when it is needed to all=
ow some
>> action from one role to another one. For example, if you would like to a=
llow
>> USER new action "Add account", you can't. Because there is no API comman=
d
>> for USER. What about new roles?
>> Have you got any ideas how to extend the CloudStack mechanism of roles
>> creation? It will be more convenient if there is something that allow to=
 create
>> custom roles with needed permissions. For example, give basic role ADMIN=
 or
>> USER and then create new role based on it, change permissions(remove, ad=
d).
>> Something like Role's constructor.
>> Also I would like to know if somebody else needs similar extension?
>>
>> Fill free to write any ideas.
>>
>> Thanks a lot,
>> Olga