Description of problem: Today, when creating an external disk, backend requires CREATE_DISK permissions on storage domain with empty guid --> which maps to the blank template. The correct requirement should be a CREATE_DISK permissions on the System object (like for creating new storage domains). How reproducible: Always Steps to Reproduce: 1. Give user XXX DCAdmin on some DC. 2. Try creating an external disk --> fails the permissions check 3. Give user XXX DiskCreator permissions on the blank template 4. Try creating an external disk --> Succeeds Actual results: "2" fails and "4" succeeds. Expected results: Both "2" and "4" should fail. One should have CREATE_DISK on the system object in order to create an external disk. So once you give XXX StorageAdmin permissions on the system level, you'll be able to create an external disk.
Posted to gerrit: http://gerrit.ovirt.org/#/c/7893/
Commit: 3e0afffece27875d9605fd6990e164995d2e029a http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=3e0afffece27875d9605fd6990e164995d2e029a
Merged If0044f46fb6fb319a64b4df4192180dcb98cbc41
verified on si18 user fails with both permissions