Ordering a service?

i created a catlog object whit the admin user. but i cant see it in the catalog off EvmGroup-user_self_service users why?

i can order a service only whit admin user.

I guess this is a permissions issue?

Hi @dotan for Catalog to be visible for self_service users you should change this role. You need to copy this role and change “VM & Template Access Restriction” value to None:


Thx! But then I can not restrict the user to manage only his machines?

Users can access only to tenants machines (and to child tenant machines). In this way you should restrict users by tenants - assign users to group and assign this group to related tenant:

In this way users can operate only within its own tenant but not in other tenants.

1 Like


do you mean child tenant?

Yes for you root tenant you need to create child tenants for each user group.

1 Like

Another way is to use tag based filtering which the developers call RBAC. But in this way you should assign tags to all objects (vms etc.) during provisioning from automation methods. I.e. you can limit some group by ‘vms/groupname’ tag and than assign this tag to all vms that provisioned by users from this group. I use this way for some reasons.

Chapter 9: ‘Using Tags from Automate’

1 Like

Thx! igortiunov

There is additional info about tenants:


1 Like


how can i use the “Sample VM Provisioning Dialog” in vm catalog?

How can I choose a name for a vm machine?

From the book you can find how to configure service provisioning dialog and vm naming workflow.

First of all you have two provisioning way: Lifecycle ->Provisioning from button and service provisioning. I use services for all my provisioning task because it is more customisable method.
You can create service dialog with field that have vm_name label as a text box type and during ordering service you can specify vm name in this text box.
Automation have out of the box workflow for automatically assign name to provisioned vm based on the group membership and tags, you can check it by assign name “changeme” to vm or leave this field blank.

1 Like

how do i copy the “Sample VM Provisioning Dialog” from the “Provisioning Dialog” to "all Dialog partition? I can only choose from there when creating a catalog.

These dialogs are for Lifecycle ->Provisioning and their primary purpose is for group specific customization. This “group specific customization” process started at /Infrastructure/VM/Provisioning/Profile class. You can copy this dialog to another name in the same category. And this another name should be in miq_provision_dialogs-groupname format. Check please related doc:

I would rather suggest you to use the service dialogue for your tasks:

In this screenshot the OpenStack Instance Generic is my own Service dialog:

1 Like

So if I understood correctly I need to duplicate the object and change the name to it?


It still does not work. I do not see the dialog in “service dialog”

No, you have two way for provisioning. First is to start vm provisioning tрrough Lifecycle button:

In this way you can use provision dialogs and choice of this dialogue for users depends on the name of dialogue. I.e. for user from group EvmGroup-QA_Self_service it will be miq_provision_dialogs_EvmGroup-QA_Self_service.

Second way is ordering the service and in this way you should create Service Dialog (not a provision dialog):

1 Like

Ok, but ware can i get template for service dialog?

Just create your own:

There is doc for creating one:

1 Like

The process of creating a service consists of two stages. The first is the creation of a template of the service, and the second is connected to the template of the corresponding dialogue. The first process involves specifying default values for the provisioning dialog and the second is customization and extension of these default values.

1 Like

Is it possible to let user only see his own services/vms by tags? Like ‘User Only’ in role. Don’t show services in same group.

If I set ‘User Only’ in role, the user only see his own services, but cannot see service catalog.

If I set ‘None’ in role, the user is able to see service catalog, but all services in group or tags are visible. Can we restrict them to user only via tags?

The goal is user only see services owned by user, and also see service catalog created by admin.

Create a tag for each user and assign the tag to the owned service/VM.