ACL inheritance for network objects
-
I've been trying to understand the interactions between ACLs and self-service on XO and it seems somewhat inconsistent for Networks.
I have granted a set of users "viewer" access to the entire pool. I have also constructed a self-service set (I have a different question on the self-service restrictions I will post shortly). However, within the self-service set, unless I provide all of the networks in the self-service set, the user is not able to see the network when building a VM.
In our environment, we build/remove networks via VLANs constantly. Having to go into the self-service set to add/remove these networks is not ideal. I would have thought that the inheritance of the networks via the "viewer" ACL would have been enough. Is this not the case?
I see in the XO docs for ACLs that the inheritance says "pools > hosts > VMs". I thought this was an example (i.e. there are other examples that discuss the operations on VMs as a case-study), but perhaps this is the only inheritance path. Is there a reason that networks might not be included in this model (or for that matter, if "pool" is given "viewer", why can't a user see everything in the pool)?
-
O olympicgreg marked this topic as a question
-
Question for @pdonias when he's back
-
O olympicgreg referenced this topic
-
Hi @olympicgreg, this seems to be the intended behaviour.
Self Service and ACLs weren't designed to work together, so when you create a VM, you either do it under the Self Service feature or thanks to the ACLs you have. So in your case, the user might have Viewer ACLs on the pool, but since they create the VM using Self Service, they will only be able to see the resources available in the Self Service resource set.
Regarding ACLs, "Viewer" is not enough to be able to create a VM on the pool. But if you change it to "Admin", you'll see that the user is now able to create a VM outside of the Self Service feature, simply by selecting the pool. And in that case, they'll be able to see all the pool's networks.
