luganofer commented on issue #10886: URL: https://github.com/apache/cloudstack/issues/10886#issuecomment-2931147371
> I don’t understand how a lot of accounts would matter, [@luganofer](https://github.com/luganofer). There has to be only one role that needs to be denied that API. All and users can be assigned that same role. in a little worse case it will be three roles that need to be created, but certainly not much worse.. Hi Dan, thanks for the feedback. If you have hundreds of accounts and thousands of users that belong to an account with the role ‘Domain Admin’ (role that is assigned to an end customer by default in most cases) you have to think about a migration process of creating not only the roles that deny those APIs (that wouldn't be much effort) , you also have to recreate the hundreds of accounts with the new role and also recreate the thousands of users in these new accounts to inherit this new role and force the thousands of users to re-register the 2FA if this feature is active. Unless you do something nasty to the database, of course. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
