ACL: "Create Templat" permission needed to instantiate?


i tried to trim down the ACLs of my user groups and ran into an odd behavior: If i remove the ‘Create Template’ permission for a group these users are no longer able to instantiate any VM from a template.
Most likely i’m missing something but so far i did not find any switch that would solve this for me. The groups are assigned via ldap but i can reproduce this with local groups as well.

I need to disable the template creation as otherwise my users accidentally (if we want to call it like that, some might do it willingly) create new templates. So a user can easily define a Template with way more resources than i have allowed in my templates which is actually not what i want.

Any hint would be highly appreciated!

1 Like


AFAIK, the need for ‘Create’ on ‘Template’ is added here [1]. I would say that as soon as you attempt to modify the template before instantiation (by providing a template fragment or by using various CLI options such as --cpu, --memory, etc.), you automatically need ‘Create’ permissions. That makes sense, since you are technically instantiating a different template, even though it is based on an existing template.

If you are using Sunstone, it is possible that these additional options are always present (from the wizard) and hence you would always need ‘Create’ permission on ‘Template’ to instantiate it … but that is just my guess :slight_smile:

Have you tried running

onetemplate instantiate $TEMPLATE_ID

without any additional arguments?


Hi parak,

thank you for your input. I had this guess as well and created templates that do not require any user input, which breaks the use case but for testing it makes sense. Unfortunately i still need the permission to instantiate no matter if i run it through Sunstone or via onetemplate command.

onetemplate instantiate 153 --user test-dev --password xxxxxx
[TemplateInstantiate] User [18] : Not authorized to perform CREATE TEMPLATE.