Description of problem: When an AD group is assigned superuser access to a cluster, users in that group are not given access to the VMs in that cluster Version-Release number of selected component (if applicable): rhevm-3.5.7-0.1 How reproducible: very Steps to Reproduce: 1. Assign a group 'superuser' role on a cluster 2. log in as member of that group 3. attempt to access VM in that cluster Actual results: User not given access to that VM Expected results: User should have access to the VM as per the cluster settings
Can you elaborate what do you mean by access to VM?
@Arik, any thoughts?
(In reply to Tomas Jelinek from comment #3) > @Arik, any thoughts? It seems that by design admin roles are not inherited from clusters to VMs. Therefore it is definitely not something for a z-stream. Allan, could you please elaborate on the implication on the user? is something missing in the UI? are there specific operations the user cannot do because of this?
since it is by design pushing out of 3.6.6. Setting to 4.0 in case we will get to some enhancement we want to implement.
oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target.
this works as per design. We need to review the design
is there any input/feedback from infra about how roles work?
As explained by infra in comment 21: There is a difference if you use the user level api or admin level (e.g. the UI user portal vs webadmin; in REST Filter: true vs false header). If you use the user level API, you need to assign user roles (in this case UserVmManager, not superuser). This is by design, closing as not a bug. If this is a big issue or someone has a good use case to change it, please reopen as RFE.