Pearl1594 commented on a change in pull request #145:
URL:
https://github.com/apache/cloudstack-documentation/pull/145#discussion_r468380657
##########
File path: source/adminguide/projects.rst
##########
@@ -32,17 +32,33 @@ You can configure CloudStack to allow any user to create a
new project,
or you can restrict that ability to just CloudStack administrators. Once
you have created a project, you become that project’s administrator, and
you can add others within your domain to the project. CloudStack can be
-set up either so that you can add people directly to a project, or so
-that you have to send an invitation which the recipient must accept.
-Project members can view and manage all virtual resources created by
-anyone in the project (for example, share VMs). A user can be a member
-of any number of projects and can switch views in the CloudStack UI to
-show only project-related information, such as project VMs, fellow
-project members, project-related alerts, and so on.
-
-The project administrator can pass on the role to another project
-member. The project administrator can also add more members, remove
-members from the project, set new resource limits (as long as they are
+set up to either add people directly to a project, or to send an
+invitation which the recipient must accept. Project members can view
+and manage all virtual resources created by anyone in the project
+(for example, share VMs). A user can be a member of any number of projects
+and can switch views in the CloudStack UI to show only project-related
information,
+such as project VMs, fellow project members, project-related alerts, and so on.
+
+From CloudStack 4.15 onwards, it is possible for a project to have
+multiple project administrators and to add/invite specific users of
+an account to a project in addition to adding accounts. By means of
+Project Roles associated with a user or an account of the project,
+it is possible to restrict access of users in a project, i.e., in
+addition to account-level roles, one can further restrict access to
+operations (or APIs) by associating a project-level role to the
+user or account.
+
+**NOTE:** Project Roles work over Account level Roles. If a user/account is
+added to a project without a project role, it would imply that the
+user / account added will have access to all APIs that are made available
+by the Account level role. If there are no specific deny rules in the
+project role, it would again fallback onto the account-level role to decide
+whether the user has permissions to perform a specific action.
+
Review comment:
Added relevant details
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
