Tenants and isolation


#1

Hello,

There is some big confusion regarding the Tenant access control in manageiq. Can we isolate a certain provider by creating a tenant, put that tenant in one group, and then change the ownership of the provider to that specific group?

In the group creation section, there is a way to restrict access to only the things(vms, images etc) which have a specific tag, also some provider restriction too…

But nothing appears to be working properly even if we change the ownership of it with either user assigned to that group or the group itself. Ofcourse, user and group owned is selected
Anything more needed or is there any proper documentation related to this?

Thanks


#2

@blomquisg can you review this question from @adlinix and forward to a SME if necessary.


#3

@gtanzillo can you look over this question?


#4

You can isolate a provider to be visible to one (sub) branch of your tenant hierarchy, by defining the provider from within the child tenant. You’d need to do this as a child tenant user with an RBAC role of EvmRole-administrator or equivalent. Note that groups are members of tenants, not vice-versa, so any groups in that tenant and any of its child tenants will be able to see the provider.

There are a number of tenant visibility rules that define what tenants can see from above and below them in a tenancy hierarchy. I’ve summarised them here: https://pemcg.gitbooks.io/mastering-automation-in-cloudforms-and-manageiq/content/chapter15a.html, which although talks specifically about automate and tenancy, might still be useful.

Hope this helps,
pemcg