Setting different permissions to a group on VMs

Hi all, can you please advice me on the following permission issue? For example - we have 10 VMs. We want to be able to set some VMs so that an exact group can see them but cannot operate. And some VMs could be seen and operated by the group. What are the options to set it this way? So far we were unable to find a solution for such scenario. Thanks a lot

Does “operate” include the default buttons on the VM (like Lifecycle and Power)?

We have mostly disabled the out-of-the-box buttons in Cloudforms and replaced them with Custom Buttons with Visibility/Enablement-Expressions

@buc, what do you usually use in Expressions to determine user-rights - tags, custom attributes or something else? What is the good practice?

Is it possible to evaluate current user group name in Expressions? I would like to use tags based on it.
E.g., we have tag category visibility. So on VM tag visibility/group1,visibility/group2 mean that both group can see VM.
Now I would like to set something like visibility/group1-operator. In that case user from group1 could also power no/off such VM…

Thank you

I guess there is no best practice solution, as it depends on the scenario. Basically there are 3 knobs to turn:

  • Visibility/RBAC on the object itself
  • RBAC on the buttons themselves
  • Enablement expressions on the button

We differentiate between 2 types of users: normal users and operators. But these privileges depend on the group and not on the individual user (i.e. either we trust your whole department to not do anything stupid or not). Therefore we can just use 2 roles and use the default RBAC of the buttons.

For special buttons that only a few people have access to, we user an visibility expression like

Slightly more flexible is to tag the group/user instead of using roles

Tags > Service.User Tags MyRoleTags contains "operator"

So far I have only compared Object Attributes against static strings. I couldn’t find a way to compare one dynamic value (the current users group) to another dynamic value (a custom attribute on the object)

From a Permissions point of view, it seems like the user can always do everything they are allowed to on everything they have access to. As admin you can only limit which objects the user can see or which actions the user can do, but different actions for different objects are not possible (I think)

One possible workaround might be to show the button to the user and add a dynamic textbox to the dialog that says “sorry but you are not allowed to use this feature on this object, because of reasons”.

Note: MiqExpressions can use dynamic inputs, but it looks like the dialog in the customizations menu doesn’t expose that. If you really need it, there might be a way to fake it in the YAML definition of the button