Thanks Min and Prachi. >Based on above, for your usecase, you can attach a new policy to one account to deny specific operations. So even if that account belongs to the group that allows All, the second >policy has an explicit Deny, so this will deny the specific operations.
Does that mean that a new deny permission role should be created and then applied to the user? If yes then is it like we are apply two roles to a single user. Thanks Meghna. Thanks Meghna. On Thu, Jun 5, 2014 at 1:19 AM, Prachi Damle <prachi.da...@citrix.com> wrote: > >For example, there are two accounts and they belong to a group with > >Allow all permissions. If I have to remove some permissions for only > >account 1 but keep them for account 2 is it possible? > > This will be decided depending on whether Deny has higher precedence over > Allow or the other way. If Deny has the higher precedence, the evaluation > logic will be: > - If there is a policy attached to the account or to a group that the > account belongs to, which states an explicit Deny, then the permission will > be denied. > > Based on above, for your usecase, you can attach a new policy to one > account to deny specific operations. So even if that account belongs to the > group that allows All, the second policy has an explicit Deny, so this will > deny the specific operations. > > Thanks, > Prachi > > -----Original Message----- > From: Min Chen [mailto:min.c...@citrix.com] > Sent: Tuesday, June 03, 2014 9:30 AM > To: dev@cloudstack.apache.org > Cc: Daan Hoogland; Hugo Trippaers > Subject: Re: [ACS5.0] IAM feature postponed from 4.4 to 5.0? > > As mentioned in our FS doc in wiki, "In phase I, all the permissions > attached to any policy are by default explicit 'Allow' permissions. As of > now 'Deny' permissions cannot be added." > > For your use cases, you can have two options: > 1. Assign the two accounts into 2 different groups, and attach different > policy for the group. > 2. Directly attach an Allow policy to account 2 instead of assigning both > accounts into the Allow All group. > > Thanks > -min > > > On 6/3/14 5:03 AM, "Meghna Kale" <meghna.k...@sungardas.com> wrote: > > >Hi Min, > > > >With reference to the wiki doc, I had a query. > >In case of a customized role with deny permissions how will the > >listAll, isrecursive ..etc. input parameters values will be ? > > > >For example, there are two accounts and they belong to a group with > >Allow all permissions. If I have to remove some permissions for only > >account 1 but keep them for account 2 is it possible? > > > >Thanks > >Meghna. > > > > > >On Thu, May 22, 2014 at 10:22 PM, Min Chen <min.c...@citrix.com> wrote: > > > >> Added API issues we found through IAM feature in the wiki page > >>created by > >> Demetrius: > >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/API+changes > >> > >> Thanks > >> -min > >> > >> On 5/14/14 9:34 AM, "Min Chen" <min.c...@citrix.com> wrote: > >> > >> >Thanks Daan. Yes, I saw that there is another thread about putting > >> >an > >>API > >> >request for 5.0 api. Once we are done with this disabling, we will > >> >put > >>the > >> >issues we have found with current API in that wiki page to take into > >> >consideration when we design the new API. > >> > > >> >-min > >> > > >> >On 5/14/14 12:12 AM, "Daan Hoogland" <daan.hoogl...@gmail.com> wrote: > >> > > >> >>Min, > >> >> > >> >>I think everybody knows I am all for less features per release. I > >> >>don't think you are making a bad call, per se. I do think we should > >> >>consider if we can come up with a total picture of what 5.x would > >> >>require af the api, though. Can you add to the discussion what it > >> >>is that is keeping you from implementing. And what requirements you > >> >>have for the 5.0 api so we can start devising the architectural > >> >>guidelines for the new api. more and more calls for a 5.0 are > >> >>coming up lately so let's move forward. (changing title) > >> >> > >> >>On Wed, May 14, 2014 at 1:53 AM, Min Chen <min.c...@citrix.com> > wrote: > >> >>> Hi All, > >> >>> > >> >>> In the past several weeks, QA has done some testing on IAM > >> >>> feature > >>and > >> >>>found > >> >>> several backward-compatibility issues. Even though Prachi and I > >> >>>have tried our best to fix bugs to maintain backward > >> >>>compatibility, we realized that in order to support true IAM > >> >>>model documented in our FS > >> >>> > >> >>> > >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Ide > >> nti > >> >>>t > >> >>>y+and+Access+Management+%28IAM%29+Plugin, > >> >>> we will have to make several API changes that will require us to > >> >>>increment CloudStack major version. > >> >>> Therefore we think that IAM feature is not ready for ACS 4.4 > >>release, > >> >>>and we > >> >>> would like to propose to disable it in 4.4 branch and re-enable > >> >>>it later when community decides to go for 5.x. > >> >>> > >> >>> Thanks > >> >>> -min > >> >> > >> >> > >> >> > >> >>-- > >> >>Daan > >> > > >> > >> > >> > > >
