Hi @johnnezero and thanks for the post!
Just wanted to talk about PERMISSION SYNC.
In the REST API the "permission sync" pattern is actually handled natively by the RBAC system using selectors.
For example, if you want a role that allows a user to manage VM power state only for VMs tagged dev:
Start from the built-in role template “VMs power state manager” (just to speed up role creation, but totally optional)
Create or customize a role with the required VM power privileges (read, start, stop, reboot, etc.)
Scope each privileges using a selector like:
tags:dev
Then assign the role to your user or group
Once done, the access is fully dynamic:
Any VM with the dev tag is included in the scope
Removing the tag immediately revokes access
Adding the tag grants access instantly
No need to maintain per-VM ACL entries or run any sync process
The key point is that RBAC evaluates privileges at request time based on selectors.
You can also base selectors on other VM properties, not only tags (for example power state, name patterns ...).
You can find the doc here
and a dedicated forum thread here
PS: For the moment the XO6 UI does not support the RBAC system, but we are working on it
