I wanted to prohibit the possibility for normal users to create disk-snapshots, by changing the oned.conf file.
VM_ADMIN_OPERATIONS = “migrate, delete, recover, retry, deploy, resched, disk-snapshot”
VM_MANAGE_OPERATIONS = “undeploy, release, disk-attach, nic-attach, terminate, disk-resize,
snapshot, updateconf, rename, resize, update, disk-saveas”
VM_USE_OPERATIONS = “hold, stop, suspend, resume, reboot,
These users only have use & manage rights but are still able to create a disk-snapshot in sunstone (Storage Tab -> Camera Symbol). Strangely when they want to delete this Snapshot they get the following message:
[one.vm.disksnapshotdelete] User  : Not authorized to perform ADMIN VM .
Did I miss anything?
edit: marked as solved in 5.4.2
Firstly, these users, What view they use?
You can manage which actions can users view in susntone, in .yaml files for each kind of view.
If you want forbidden the possibility to create disk-snapshot you can disable this action with the key
Thanks for the hint for disabling this option from the view.
These users are using users view and the CLI.
Still the users can create disk-snapshots from the CLI and just removing this option from the view is in my opinion not a complete solution.
I think by setting the fine grained VM permissions (in my case putting disk-snapshot to the admin section) in oned.conf should disallow the creation of a snapshot completely for non-admin users resulting in a “Non authorized to perform…” message. Or have I missed something about this part of the configuration?
I have seen the problem with more detail and I have found a code bug. I have resolved the problem and early you will have the solution in the repository.
This is the issue: https://dev.opennebula.org/issues/5404
Regards and thanks!