Description of problem: When setting up permission for a group of users that should manage/offer support on VMs running on RHV but must NOT be admin of the whole infra, is not possible to define some permission that apply to all VMs and Storage Domains, except the Hosted-Engine one. A typical 1st level support team should perform just following operations: • Login to Administration portal • Creating, editing and removing vNICs for all VMs (SHE excluded) • Full “BASIC OPERATION” (start, poweroff, suspend, reboot etc etc) for all VMs (SHE excluded) • Editing properties (hot plug/unplug vCPU, RAM etc etc) for all VMs (SHE excluded) • Creating, adding, attaching, detaching, removing, deleting and editing properties (size, alias, description etc etc) vDISKS for all VMs (SHE excluded, so master_hosted_engine storage domain) So they should absolutely not be able to manage SHE VM and its master_hosted engine storage domain. (only Superuser msut be able). This is not currently possible, because if the permission are given at system level, they do apply to ALL objects, including SHE and its SD. That granularity level can be reached by setting VM per VM the permission, but this from an operations PoV is not a viable option. The request here is to make SHE a special object with dedicated permission or to exclude by default when declaring at system level the permissions to exclude SHE and its SD. Version-Release number of selected component (if applicable): RHV 4.1.x
We have not yet released 4.1.9. Which version is it?
We are still evaluating possible technical solutions to this issue. When done we will target the bug to relevant release.
Hello Martin, nearly 1 year later, what is the plan?
Removing devel_ack+, we are still discussing how this could be achieved
Verified on ovirt-engine-4.3.1.1-0.1.el7.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:1085