Hide Forgot
Created attachment 566228 [details] zone_Admin_revoked Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Created a user with role "Zone Administrator" 2. Zone Admin can see and create/edit/delete all clouds (Note :other zone roles can't) 3. revoked zone admin role , now user can still see all clouds but default 4. Even edit and delete them . Actual results: Expected results: Revoking role should behave exactly behave like when user was not assigned that role. Additional info: rpm -qa|grep aeolus aeolus-conductor-0.8.0-36.el6.noarch rubygem-aeolus-cli-0.3.0-10.el6.noarch aeolus-conductor-daemons-0.8.0-36.el6.noarch aeolus-configure-2.5.0-15.el6.noarch rubygem-aeolus-image-0.3.0-10.el6.noarch aeolus-all-0.8.0-36.el6.noarch aeolus-conductor-doc-0.8.0-36.el6.noarch
Make sure that the admin in question didn't create those zones he can see. The 'zone admin' is a global role (soon to be renamed 'Global Zone Administrator'). In addition, any time a user creates something, that user becomes a resource-level owner/admin for the owned resources. Revoking global admin does nothing for locally-controlled resources. It's like taking the master key from the facilities manager but leaving the manager with the office key to his private office. So if the revoked zone admin can access zones he created but is prevented from accessing zones others create then this isn't a bug.
please try So if the revoked zone admin can access zones he created but is prevented from accessing zones others create then this isn't a bug.
Yes checked , User is able to see self -created clouds only and not those by admin . Not a bug rpm -qa|grep aeolus aeolus-conductor-doc-0.8.0-41.el6.noarch rubygem-aeolus-cli-0.3.0-13.el6.noarch aeolus-all-0.8.0-41.el6.noarch aeolus-conductor-0.8.0-41.el6.noarch rubygem-aeolus-image-0.3.0-12.el6.noarch aeolus-configure-2.5.0-18.el6.noarch aeolus-conductor-daemons-0.8.0-41.el6.noarch