Description of problem:
On a newly installed rhev-m, I added a new domain, and granted access to two users, first as a SuperUser and the second as a PowerUserRole.
Then I created a new pool, I noticed that both users have inherited permissions on this pool. Also admin@internal (SuperUser and PowerUserRole) had inherited permissions on it as well.
Version-Release number of selected component (if applicable): 3.4
Steps to Reproduce:
1. Add a domain
2. Create Pool
3. Add a domain user with PowerUserRole
4. The permissions show as inherited in the Pool details
5. The user doesn't see the pool in the Userportal unless he is explicitly granted that permissions on this pool
Upon logging in to the userportal with any of the four users (I tested them all), I don't see the pool anywhere.
If the user role doesn't have permissions on Pools, the it shouldn't show that he have inherited permissions on this pool.
Granting the permission to each user explicitly to the pool fix it. But it's misleading to see that a user (the PowerUserRole in this case) does have inherited permissions to the pool while in fact he doesn't in the user portal.
I am trying to widely test this misleading inherited permission on different objects and will report anything wired.
michal - is this a bug? iirc, power user role is to create objects (then get permissions on them), not to see existing objects?
(and admin role doesn't is not relevant to user portal which only shows objects based on user role permissions)?
as per documentation you're right
But IMHO it's really not obvious enough. The term "PowerUserRole" is quite misleading in this respect
not sure what to do with it, though:/
bug 1147960 has the same issue with powerUserRole not seeing templates
still want to consider this "soon"
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Moving from 4.0 alpha to 4.0 beta since 4.0 alpha has been already released and bug is not ON_QA.
oVirt 4.0 beta has been released, moving to RC milestone.
The description of the "PowerUserRole" says:
"User Role, allowed to create VMs, Templates and Disks"
The role behaves as documented (e.g. it gives you permissions to create, not to read existing VMs), and the description seems clear to me.
I think this could be closed as "not a bug" - feel free to reopen if something should be done here.