Decouple RBAC for VMs and Templates


#1

I have a use case where I want to restrict the user to see only the VMs/Services that he owns, but to be able to provision using any template that belongs to the group.

I can achieve the first objective by setting Configure->Configuration->Access Control, and setting the appropriate role’s “VM & Template Access Restriction” field to “Only User Owned”.

However, by setting this option, all images will become invisible to him because he doesn’t own any of them. These images may be group-owned, but they are still complying to the “Only User Owned” restriction I set earlier.

Is there any way I can achieve what I want?


#2

@georgegoh The way we accomplished this was to tag the templates and set the group filter under access control to allow them to see anything with that tag. We use Provisioning Scope: All, but any tag that makes sense should work.

FYI: If you use the filters, there is (was?) an issue where you had to set restrictions on all three sections for them to apply.