How to change the default ACL added on group creation


We are an university and we are in the process of deploying opennebula for our fellow computer scientists.
We have a few dozen departements and each will have their own group in which the group admin will manage the ressource allocation. We are planning on providing, for each department, 2 virtual networks, one local to opennebula for their VM interco and one routed to their existing DMZ and that where we are having trouble since we want that a group can only be able to use its own 2 networks.

Indeed, upon creation of a group, opennebula sets 3 default ACL:

  105     @124     -H--------------     *     -m--    #0
  106     @124     --N----D--------     *     u---    #0
  107     @124     V--I-T---O-S-R--     *     ---c     *

As you can see, the acl #106 is problematic for us. And, unless we delete it and recreate it just for the datastores we will never be able to script our group/acl/vnet management.

I have been looking around even poking at the source code and I can’t find a way to tell opennebula not to allow a newly created group to access all the vnet. And, of course, we have no prior ACL allowing this on a wider scope (we aren’t using the default users group, and I remote all ACL on virtual networks).

Thanks in advance,


Same problem here.

same problem here, no solution ?

From what I remember those default ACLs are actually added by sunstone, the web interface. Creating the groups from the CLI doesn’t add ACLs at all. We ended up scripting groups creation from the CLI…


Sorry for digging up this old thread, but I stumbled above this thread while trying to get rid of the default ACLs mentioned by Arnaud.
The trick for me was to remove all ressources (mainly the “All Clusters”) from the default VDC before creating any new group.
(CLI command to achieve this: onevdc delcluster default 0 ALL)
Afterwards there will be now ACLs to use all VNETs and Datastores etc.
Hope this helps, whoever finds this thread…