Tenants and isolation


There is some big confusion regarding the Tenant access control in manageiq. Can we isolate a certain provider by creating a tenant, put that tenant in one group, and then change the ownership of the provider to that specific group?

In the group creation section, there is a way to restrict access to only the things(vms, images etc) which have a specific tag, also some provider restriction too…

But nothing appears to be working properly even if we change the ownership of it with either user assigned to that group or the group itself. Ofcourse, user and group owned is selected
Anything more needed or is there any proper documentation related to this?


1 Like

@blomquisg can you review this question from @adlinix and forward to a SME if necessary.

@gtanzillo can you look over this question?

You can isolate a provider to be visible to one (sub) branch of your tenant hierarchy, by defining the provider from within the child tenant. You’d need to do this as a child tenant user with an RBAC role of EvmRole-administrator or equivalent. Note that groups are members of tenants, not vice-versa, so any groups in that tenant and any of its child tenants will be able to see the provider.

There are a number of tenant visibility rules that define what tenants can see from above and below them in a tenancy hierarchy. I’ve summarised them here: https://pemcg.gitbooks.io/mastering-automation-in-cloudforms-and-manageiq/content/chapter15a.html, which although talks specifically about automate and tenancy, might still be useful.

Hope this helps,

Hello @pemcg,
Currently, I am facing the same issue. I have gone through the document you shared.
In my case, I have two child tenants like Sales and Engineering. Consider Sales tenant added provider-sales and Engineering tenant added provider-engineering.
Now, both tenant services are overlapping for availability zones, images, key pairs, stack, flavors, host aggregates, and topology section. Means Sales tenant can see the details of provider-engineering and vice versa Engineering tenant can see the details of provider-sales.
Can you please help me, how can I isolate the services for both tenants?



Can you elaborate on what you mean by “see” - do you mean in the WebUI, and if so in what screens/pages? Some ManageIQ components are not tenant (i.e. RBAC) aware by default (such as Automate), so if you have a service dialog dropdown that was populated using $evm.vmdb(:Vm) for example, it would retrieve all VMs from all tenants.

The workaround for this is to call $evm.enable_rbac at the top of each method that you intend to be run in a tenant-aware context.

hope this helps,

Hello @pemcg,

Yes, It is on WebUI. Actually I am new here, Just learning and exploring the ManageIQ.
I am talking about the Web pages Compute > Clouds > availability zones, images, key pairs, stack, flavors, host aggregates, and topology. Also, While provisioning new instance Sales tenant users can select engineering tenant images and can create instances in provider-engineering. How can I isolate both tenant’s data? So that the Sales tenant can view the details of provider-sales only vice versa for the Engineering tenant.


Hello @pemcg,

I tried to call $evm.enable_rbac method at the top of methods in models and controllers which I wanted to be run under-tenant, but it does not help me.

Also when I add provider; in the database, storage manager and network manager gets the tenant id of admin and not of the user’s, is there any way to add it according to user’s tenant id.


$evm.enable_rbac is only used in automate methods.