How do I enable "My Services" for non EvmGroup-super_administrator role/group users?


#1

Hi

For gapri-1, I was able to bind to AD and user from AD can login to see service catalog and submit request. But after a openstack VM submitted via shopping cart and got created. I can’t see the instance showing up under “My Services”.

  • As user from AD
    image

  • As admin user, I can see the instances/services
    image

  • This is product features I enabled for common role,end-users

Thanks for your pointer of what I missed.


#2

Permissions for my self-service user are as follows. Appears to be a slight difference between both of ours. Believe I copied mine directly from the default self-service role.
I also have to tag new services and VMs for them to appear to users, otherwise only admins can see them, though you may not have to do this depending on how you’ve configured things I believe.
image


#3

Hi @enosullivan. Thanks for the response.
I tried two things, both did not have “My Services” showing up in ui/service for a regular user.

  • set the Product features like yours for myEmployee role.

  • copy the EvmRole-super_administrator to My-EvmRole-super_administrator(which has all features enabled) and assign My-EvmRole-super_administrator role to myEmlpoyee group. Wierd thing is that even with EvmRole-super_administrator features all turned on. I still can’t see “My Services” items showing up.

  • ui/services doesn’t show “My Services” even I had 4 orders placed successfully. Lifecycle,Policy and Configuration are all gray-out.

  • Can you explain more about following
I also have to tag new services and VMs for them to appear to users, otherwise only admins can see them, 

How do you tag new services(catalog ?) and VMs ?

  • Is there doc on the subject of Groups and Roles arrangement ?

#4

I have a tag applied to the group the user is in, and the same tag applied to the service and any VMs contained within the service.



I don’t have this automated yet, but I assume the idea would be that you look at the tags a user has when provisioning, and assign the same tags to the service/VM.

May also need to set the “Access Restrictions” field in the role to “None”.

Hopefully that helps your issue a bit. I’m not sure if this is the optimal way of managing control and access in ManageIQ, but it’s how I am doing it currently.
Would also be interested in knowing if there was some best practices document on it.
This does go through it a bit though: https://cloudformsblog.redhat.com/2016/10/13/using-tags-for-access-control/.