luganofer commented on issue #10886: URL: https://github.com/apache/cloudstack/issues/10886#issuecomment-2950667207
> > Hi [@DaanHoogland](https://github.com/DaanHoogland) , thanks for the feedback. > > np > > > If you have hundreds of accounts and thousands of users that belong to an account with the role ‘Domain Admin’ (role that is assigned to an end customer by default in most cases) you have to think about a migration process of creating not only the roles that deny those APIs (that wouldn't be much effort) , you also have to recreate the hundreds of accounts with the new role and also recreate the thousands of users in these new accounts to inherit this new role and force the thousands of users to re-register the 2FA if this feature is active. Unless you do something nasty to the database, of course. > > Why do you think the recreation of accounts is needed? A account can be assigned a new role, and this can be scripted with APIs. These are the ones you would need: https://cloudstack.apache.org/api/apidocs-4.20/apis/createRole.html https://cloudstack.apache.org/api/apidocs-4.20/apis/updateRolePermission.html https://cloudstack.apache.org/api/apidocs-4.20/apis/updateAccount.html only the last one would be called on all those users. The users/accounts will continue to exist with all their data. You are right 🥇 @DaanHoogland . From the APIs it is possible to assign a new role to the accounts and I wasn't aware of that ( thank you for the tip!). The good thing about this is we can make the changes we need without waiting for the new functionality 😄 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
