Description of problem: When calculating the entities a user can view in the user API/portal we do not take into consideration what type of permission is given on the entity. For example if I want to give a user permission to use all the templates in the data center I'll give him permission to consumeTemplate on the data center, the impact today is that the user API can view ALL the VM in the data center. This is just an example there are many other examples. proposed solution - We are missing some kind of containers in a DC, if I want to give permission on the templates in the data center or if I want to give permissions on the networks in the data center it should be given on containers which leaves in the DC: Networks, Storage-Domains, Templates etc. Other option is to classify Action-Groups to entities and use it in user view calculation Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
maybe a more clear explanation - Today when we give permission on an entity like a data center the user gets the permission on all the entities in the data center hierarchy. for example - - I gave a user permission to use the templates in the data center now he can see all VM in the dc. - I gave a user permission to use the networks in the data center now he can see all VMs in the dc.
this is definetly a bug. I'm not sure that container is the right term, I would say let's have differentiatation between the place in the Hierarchy and the actual objects: - all VMs in Cluster A. - all templates in DC DC1 - all networks in cluster A etc.
After consulting with Oved, it sounds to us more of a "sub feature" at permissions, which is not that trivial to implement in the given timeframe for 3.2. I suggest to handle it in future version.
Can you please provide the role names that you assigned to the users?
(In reply to Piotr Kliczewski from comment #6) > Can you please provide the role names that you assigned to the users? Piotr, This bug is about the concept, not a specific case, Please see comment 1 for more details. You can also talk to Oved who is also familiar with the issue. The general problem as described in earlier comments is that the permission hierarchy is not sensitive to entities type. When I give permission on a DC is propagates to all the entities in the DC instead-of, for example, all the templates in the DC or all the VMs in the DC.
*** Bug 910846 has been marked as a duplicate of this bug. ***