Product Features and Roles

In ManageIQ we have the concept of RBAC. Product features are assigned to Roles. Roles are assigned to Groups and Users are members of Roles. That way each user has a set of Product Features that are available to him. This is reflected by Menu Sections and Menu items being shown or hidden from the user. Accordions with trees being present and Toolbar buttons being available to the user.

From the developer perspective one of the common tasks is defining new Product features as new features are added to the product. This is done in the core repository in db/fixtures/miq_product_features.yml.

This file holds a part of the hierarchy of product features. The other parts of the hierarchy are formed by the menu structure defined in the OPS UI in app/presenters/menu/default_menu.rb.

These 2 sources plus a couple of exceptions form the RBAC tree that can be seen in the OPS UI under Settings --> Access Controll --> Roles --> [role].

When a new product feature is added it also needs to be assigned to pre-defined roles. This is done in the core repo in db/fixtures/miq_user_roles.yml. Unless you do this your new feature will not be easily accessible to the users. So as a developer or reviewer you should take care of that.

Adding features to the build-in roles needs to be done with respect to the purpose of the roles. This table provides a basic guideline on that:

Role Description


Administrator of the virtual infrastructure. Can access all infrastructure functionality. Cannot change server configuration.


Approver of processes, but not operations. Can view items in the virtual infrastructure, view all aspects of policies and assign policies to policy profiles. Cannot perform actions on infrastructure items.


Able to see virtual infrastructure for auditing purposes. Can view all infrastructure items. Cannot perform actions on them.

Container Administrator

Administrator with capabilities to configure, view and execute tasks on all containers and related underlying infrastructure. Has access to Nodes, Pods and Projects dashboards.

Container Operator

This role can view and execute tasks related to containers and related underlying infrastructure. The Container Operator has access to locked versions of the same dashboards as the Container Administrator.


Access to VDI pages.


Performs operations of virtual infrastructure. Can view and perform all functions on virtual infrastructure items including starting and stopping virtual machines. Cannot assign policy, but can view policy simulation from Virtual Machine page.


Enforces security for the virtual environment. Can assign policies to policy profiles, control user accounts, and view all parts of virtual infrastructure. Cannot create policies or perform actions on virtual infrastructure.

Super Administrator

Administrator of Red Hat CloudForms and the virtual infrastructure. Can access all functionality and configuration areas.


Access to features required by a support department such as diagnostics (logs). Can view all infrastructure items and logs. Cannot perform actions on them.

Tenant Administrator

Configures settings applicable to a Tenant. Sets Branding, maps groups/roles, configures LDAP credentials, and configures dashboard settings.

Tenant Quota Administrator

Configures quota limits for the tenant, applying usage constraints for CPU, Memory, Storage, Maximum number of VMs, and Maximum number of Templates.


User of the virtual infrastructure. Can view all virtual infrastructure items. Cannot perform actions on them.

User Limited Self Service

Limited User of virtual machines. Can make provision requests. Can access some functions on the virtual machine that the user owns including changing power state.

User Self Service

User of virtual machines. Can make provision requests. Can access some functions on the virtual machine that the user owns and that the user’s LDAP groups own including changing power state.

Vm User

User of virtual machines. Can access all functions on the virtual machine including changing power state and viewing its console. Cannot assign policy, but can view policy simulation from virtual machine page.

There’s one more YAML file that needs to match the content of db/fixtures/miq_product_features.yml and db/fixtures/miq_user_roles.yml. The third file is db/fixtures/miq_shortcuts.yml.

MiqShortcut represent URLs that can be uses as starting URLs when a user logs in into the OPS UI. Unless a product feature has it’s MiqShortcut it is not allowed as a starting page. Then user logs in, the starting page is calculated from the product features available to the user that have their corresponding MiqShortcut.

This functionality will bite you if you for example create a new section of the UI such as Cloud Networking with product feature e.g. cloud_networking and then create a new user that can only access this new section. Unless you add cloud_networking to the db/fixtures/miq_shortcuts.yml such user would not be able to log in.

MiqShortcuts also provide the list of URLs that can be used as shortcuts on the Dashboards. So if you want to enable users to access part of the application using dashboard shortcut widgets you also need the db/fixtures/miq_shortcuts.yml.

That’s all folks! I hope this short article will help us get better at managing the product features in our PRs and PR reviews.


Thanks, @martinpovolny.

I am not developer, but this short article is also good for miq admin who want to put miq into production.

Thank you for this explanation.

whats the best place for this kind of info? would an official doc/manual in
the website be a better place?

Thank you @martinpovolny. This is quite helpful.

I am trying to find/create a role which enables users to make requests in our Service Dialogs. Per your description I would expect EvmRole-user_self_service to be precisely what I need. But when I select that role, it says “No records found” under Services–> Catalogs --> Service Catalogs.

To remedy this I tried creating a custom role (from EVM EvmRole-user_self_service) and adjusting the Role Product Features from:


But I still get “No records found” under Services --> Catalogs --> Service Catalogs.

What am I missing?

The role features turn on/off the visibility of the UI menu items, so if you can see Services --> Catalogs --> Service Catalogs but nothing inside, it suggests (to me) maybe an RBAC issue with the catalog items themselves?

Are you using tenancy or tagging for RBAC?