Created attachment 1830326 [details] inherited list shouldn't be shown Description of problem: We have 2 types of (non-admin) users. One of them are allowed to create their own machines. Thus, VmCreator and DiskProfileUser permissions are granted on the Data Center. The other ones, have specific permissions on ad-hoc VMs. So we create a machine and we grant them the UserRole permission on that VM. Sometimes, we have problems to determine which actual permissions a VM has. We go to the Permissions tab on a VM, and we see stuff like in the snapshot attached to this BZ. Taking into consideration that we have hundreds of users (sometimes near 1k), it's misleading to see the "inherited" permissions on the VM object, as these are not real permissions on the VM and these users don't actually have any permission on the VM. We can order the list regarding the "inherited" column, but I think it would be cleaner not showing the "inherited" values as they are misleading and useless actually. Version-Release number of selected component (if applicable): 4.4.8.6 Steps to Reproduce: 1. Grant VmCreator and DiskProfileUser permissions for a user on the Data Center. 2. Create a VM and grant the UserRole permission on the VM to a different user. Actual results: When you open the VM's permissions tab, you see the inherited permissions list as well, even when the first user doesn't have any permission on the VM. Expected results: Real permissions should be shown only. Additional info: Snapshot added.
The documentation text flag should only be set after 'doc text' field is provided. Please provide the documentation text and set the flag to '?' again.
Actually , I don't understand this issue , seems that it is working as expected Lets assume we have a DataCenter d1 and inside it Cluster c1 and host h1 that runs a vm1 VM Now we have 2 users : User u1 with VmCreator and DiskProfileUser permissions on the DataCenter d1 user u2 with specific ad-hoc permissions on vm1 Now, if you open vm1 permissions you see user u1 that has direct permissions on vm1 and user u2 that inherits permissions on vm1 from his DiskProfileUser permissions on DataCenter d1 If there are many users and you want to see only direct ad-hoc permissions , I think the way is to add a "Hide Inherited Permissions" option and then this is a RFE not a bug.
I actually opened this BZ because I don't see the point of vieweing a list of inherited permissions, those being users that don't actually have a 'real' permission on the VM. Also, I agree with you that this rather should be an RFE, as it's not actually a malfunction. If you determine the inherited list should be kept, it's ok for us to have a "Hide Inherited Permissions" button.
Let's add a check box "Hide inherited permission" to show only direct permission for an entity. This will be UI only change, in the RESTAPI there will be all permissions return, but users can use the same filtering of the results: 1. Empty value in Inherited permission column mean direct permission 2. Non-empty value in Inherited permission column mean permission inhertited from parent entity
+1 for adding the "Hide inherited permission" checkbox instead of total removing them from the permissions list. As mentioned above, viewing the list of inherited permissions is not always redundant and does reflect a real permissions assignment for users since permissions are inherited. Examples: 1. ('User1', 'cluster1', 'UserRole') means that User1 has UserRole on the cluster1 cluster and on all objects in it (VMs, Hosts…). That means that if User1 will log in to the VM portal, he can view and run all VMs from that cluster1. If the UserRole permission is granted on a specific VM, only that VM can be viewed via the VM portal. 2. ('User1', 'Data center 1', 'DiskProfileUser') means that User1 can edit/create disks for all VMs within that Data center1 (via UI or API).
Added two buttons to the permissions list conrol All - display all permissions Direct - Show only direct permissions See [ Screenshot of new "All" and "Direct" buttons to filter permissions ] screenshot attachment
Verified on Software Version:4.5.0.1-601.f26e9ea8cac5.3.el8ev The Direct button properly filters out the users, that have only inherited roles. All shows all permissions as before.
This bugzilla is included in oVirt 4.5.0 release, published on April 20th 2022. Since the problem described in this bug report should be resolved in oVirt 4.5.0 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.