Description of problem: User cannot create VMs with "ACTION_TYPE_NO_PERMISSION_TO_ASSIGN_CPU_PROFILE,$cpuProfileId,$cpuProfileName" User who belongs to an IPA group with SuperUser role, set in Clusters -> CPU Profile, does not inherit CpuProfileCreator rights and we need to specify user manually. Adding the "CpuProfileCreator" role for the IPA group doesn't make any difference. Initially, thought this was related to BZ 1143869 but does not seem to be the same, customer upgraded to 3.6.7 and same error happens. Version-Release number of selected component (if applicable): RHEV-M 3.6.7 (rhevm-3.6.7.5-0.1.el6.noarch) How reproducible: 100% in customer's environment Steps to Reproduce: 1. Add an IPA group with SuperUser role into the right frame in Clusters -> choose cluster -> cpu profiles subtab -> cpu profile 2. Try to create a VM, in this case, from a Template, with a user who belongs to that IPA group Actual results: Will fail with following message in engine.log 2016-07-14 21:30:07,935 WARN [org.ovirt.engine.core.bll.AddVmFromTemplateCommand] (ajp-/127.0.0.1:8702-7) [] CanDoAction of action 'AddVmFromTemplate' failed for user <user>@<domain>. Reasons: VAR__ACTION__ADD,VAR__TYPE__VM,ACTION_TYPE_NO_PERMISSION_TO_ASSIGN_CPU_PROFILE,$cpuProfileId 40868150-e4b1-49db-8b42-535ef3da8480,$cpuProfileName <CL-NAME> Expected results: It should let user from IPA group, with SuperUser role, to create VMs. User who belongs to a SuperUser IPA group role, should not need specific 'CpuProfileCreator' permissions since it should inherit them from SuperUser role from the IPA group. Additional info: As a workaround, add the user, not the group, with role "CpuProfileCreator" in Clusters -> CPU Profile.
This is not related to the fact, that role is assigned to group fetched from IPA. So moving to SLA team, which is the owner of CPU Profiles feature
Most probably a dup of bug 1369046. Andrej please confirm?
It is. CpuProfiles does not check group permissions.
*** This bug has been marked as a duplicate of bug 1369046 ***