Overriding Default ACLs

Hello all,

I’m looking to automate group user creation such that when a group/user is created, they get a default set of resources that they have permission to.

I’ve noticed that by default (when created from ruby) a newly created group will get an ACL that gives manage permission on all hosts, and use permission on all vnets and datastores . I’d like to remove these defaults, such that nothing gets created unless I expressly set it.

Is there a way to remove the default permissions, or to explicitly set ACLs when other resources are being created?

It seems that you are looking for the --resources option. From the command line help:

   * create [<group_name>]
        Creates a new Group. A group name can be passed as the only argument,
        or via command line arguments
        
        Examples:
        
          - create a group with an admin user and allow group users
            to only create new templates and VMs
        
            onegroup create --name groupA
                            --admin_user admin_userA --admin_password somestr
                            --resources TEMPLATE+VM
        valid options: name, admin_user, admin_password, admin_driver, resources

If you are using the ruby bindings just init:

group_options = { :resouces => "TEMPLATE+VM" }

group.create(group_options)

Forgot to mention that you have a “Permissions” tab in Sunstone that exposes through the UI this functionality

Aha, I’d been using group.allocate. .create looks much more like what I need, thank you!