Tenant Access Control Issues


#1

Ok, so we have the latest ManageIQ out of the box with a vCenter as the sole provider. The plan was to then carve things up using Tenants, so they can solely see their own VM’s etc…

Created a Child Tenant/Group and User for “Client” and assigned their group as their VM’s owner. Logged in as said tenant and can only see their VM’s. Great!

However on playing further, seems there are a few problems with the permissions:

  1. That client can then no longer see any templates ( tried setting these to “no group” as owner ).
    Similar to this post but i am already on v2: [SOLVED] Users from a group asigned to a Project/Tenant other than parent tenant can’t see vm/templates. Which makes sense, but there is no way of say creating a Public group and assigning that clients group to also be a member as well as the Project/Tenant.

  2. If their Role has “Resource Pools/Datastores” checked, they can see all resources not just their own ( tried limited the group to their datastores under group settings/host & clusters, but the tick boxes on their resource groups never seem to save/stay ticked? Not the end of the world, can just hide them from the user but something to consider.

  3. As per above, if the role also has the “Access Control” section checked, they can create/edit all users not just those that belong to that Tenant.

  4. The custom logo disappears for Tenants, if i enable that permission. I can see it’s is still there and ticked to be used, but on Tenant logons it no longer shows.

I believe the Tenant feature is quite new, so all of the above may already be in progress. But could not find any specific mention, so thought i would post my findings so far.

Cheers,

James


Tenants Templates visibility
#2

@dmetzger can you review this question from @Cloudmonkey and forward to a SME if necessary.


#3

Looking into it.


#4

Hello James.

There is hierarchy for tenants. So I believe you can see all templates that are owned by a parent tenant. @bascar will be able to shed some light here

If you use LDAP, then multiple groups for a user is supported. We are looking into allowing a user to be in multiple groups, @chrisarcand would be a better resource to answer information on that.

Yes for admins, there is no access control of the access control. Not sure the timeline for that, @bascar would be able to help you with that.


#5

Hi,

Child tenants cannot see the parent tenants templates ( just tried setting ownership as main company, then logged in as child tenant ).

I’m guessing because setting the templates owner as “Tenant my company access” is not one of the groups that tenant is a member of, they are listed as:

Groups in this Tenant
"Tenant Name"
Tenant “My Company”/“Tenant Name” access

Agreed LDAP would be a work around, but overkill for this deployment. Setting groups/permissions is one of the few things that does work in vOneCloud. : )

Cheers,

James