That's because doing a snapshot will have consequences on the SR. That's why we restricted the permissions for doing snapshot.

I actually like the current implementation. I am currently using this setup to allow an admin user to have 2 accounts managed by one authentication back-end. One account is a typical self-service user to consume resources according to ACL/Self-service rule sets The other account is used to manage Admin features like backups and XO settings (environment with multiple admins who also consume resources from a shared pool with other departments/teams) I use separate accounts so when admin users create VMs it can go to the appropriate self-service container. I hope any fixes to address the above concern doesn't completely remote this capability or at least adds another method of achieving this.

@sborrill I have a work-in-progress branch with a plugin for this: https://github.com/vatesfr/xen-orchestra/pull/4701 To test, you will need to checkout this branch, add a symlink to the packages/xo-server-auth-http plugin into the directory xo-server/node_modules and then to configure and unable the plugin from XO. This will make basic authentication available with the path /signin/basic, note that you can make it the default authentication by overriding authentication.defaultSignInPage in your configuration file. julien-f opened this pull request in vatesfr/xen-orchestra open WiP: feat(xo-server): support HTTP basic auth #4701