DaanHoogland commented on a change in pull request #145:
URL:
https://github.com/apache/cloudstack-documentation/pull/145#discussion_r468376042
##########
File path: source/adminguide/projects.rst
##########
@@ -32,17 +32,33 @@ You can configure CloudStack to allow any user to create a
new project,
or you can restrict that ability to just CloudStack administrators. Once
you have created a project, you become that project’s administrator, and
you can add others within your domain to the project. CloudStack can be
-set up either so that you can add people directly to a project, or so
-that you have to send an invitation which the recipient must accept.
-Project members can view and manage all virtual resources created by
-anyone in the project (for example, share VMs). A user can be a member
-of any number of projects and can switch views in the CloudStack UI to
-show only project-related information, such as project VMs, fellow
-project members, project-related alerts, and so on.
-
-The project administrator can pass on the role to another project
-member. The project administrator can also add more members, remove
-members from the project, set new resource limits (as long as they are
+set up to either add people directly to a project, or to send an
+invitation which the recipient must accept. Project members can view
+and manage all virtual resources created by anyone in the project
+(for example, share VMs). A user can be a member of any number of projects
+and can switch views in the CloudStack UI to show only project-related
information,
+such as project VMs, fellow project members, project-related alerts, and so on.
+
+From CloudStack 4.15 onwards, it is possible for a project to have
+multiple project administrators and to add/invite specific users of
+an account to a project in addition to adding accounts. By means of
+Project Roles associated with a user or an account of the project,
+it is possible to restrict access of users in a project, i.e., in
+addition to account-level roles, one can further restrict access to
+operations (or APIs) by associating a project-level role to the
+user or account.
+
+**NOTE:** Project Roles work over Account level Roles. If a user/account is
+added to a project without a project role, it would imply that the
+user / account added will have access to all APIs that are made available
+by the Account level role. If there are no specific deny rules in the
+project role, it would again fallback onto the account-level role to decide
+whether the user has permissions to perform a specific action.
+
Review comment:
i would like to see a second note to make clear that a user's rights can
not be widened in comparison to their account role but only restricted.
##########
File path: source/adminguide/projects.rst
##########
@@ -280,36 +296,21 @@ feature is enabled in the cloud as described in `“Setting
Up Invitations” <#setting-up-invitations>`_. If the invitations feature is
not turned on, use the procedure in Adding Project Members From the UI.
-#. Log in to the CloudStack UI.
+#. Log in to the CloudStack Primate UI.
#. In the left navigation, click Projects.
-#. In Select View, choose Projects.
-
#. Click the name of the project you want to work with.
-#. Click the Invitations tab.
+#. Click on the `Add Account to Project` button. This will have 2 tabs, one to
add account to the project and the other to add a user to the project. Here, we
can specify the:
-#. In Add by, select one of the following:
+ - account or user and/or email id of the user to be invited,
+ - (Optional) the Role i.e, Admin or Regular that the user is to be added
as, defualts to Regular role,
+ - (Optional) the Project role specifying the list of APIs the user is
allowed/ denied access to
- #. Account – The invitation will appear in the user’s Invitations tab
- in the Project View. See Using the Project View.
+ You can invite only people who have an account in this cloud within the
same domain as the project. However, you can send the invitation to any email
address.
- #. Email – The invitation will be sent to the user’s email address.
- Each emailed invitation includes a unique code called a token
- which the recipient will provide back to CloudStack when accepting
- the invitation. Email invitations will work only if the global
- parameters related to the SMTP server have been set. See
- `“Setting Up Invitations” <#setting-up-invitations>`_.
-
-#. Type the user name or email address of the new member you want to
- add, and click Invite. Type the CloudStack user name if you chose
- Account in the previous step. If you chose Email, type the email
- address. You can invite only people who have an account in this cloud
- within the same domain as the project. However, you can send the
- invitation to any email address.
-
-#. To view and manage the invitations you have sent, return to this tab.
+5. To view and manage the invitations you have sent, return to this tab.
Review comment:
should th `5.` here be a `#.`?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
