Hi Fernando, I had the same understanding as you but in practice the role is too restricted. In the end, I adjusted the role with the necessary rights...
-----Ursprüngliche Nachricht----- Von: Daan Hoogland <daan.hoogl...@gmail.com> Gesendet: Dienstag, 5. August 2025 10:39 An: users@cloudstack.apache.org Betreff: Re: Is the “Read-Only User” Role Actually Usable? Hey Fernando, No reactions either means no one is interested in the question, or the more optimistic view is that no one else is using it. I don't but the theory is that read-only users can see/list anything in their domain and in any domain below theirs, including VMs, networks. and capacity data. I am not pleading it is useful, just that there is an intended use. Maybe it is worth discussing if the role should be removed... On Fri, Jul 18, 2025 at 3:12 AM Fernando Alvarez <lugano...@gmail.com> wrote: > > Hi everyone, > > I’d like to raise a question regarding the “Read-Only User” role as > described in the CloudStack documentation: > > https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html# > read-only-user > > According to the docs, this role is intended to grant users visibility > into resources, without allowing them to modify anything — which is > perfectly reasonable in principle. > > However, in practice, I’ve found the role to be quite unusable in most > real-world scenarios. Here’s why: > > - A user under an account assigned the “Read-Only User” role can see > resources created within that same account — including those created > by other users of the same account — but cannot create any resources > themselves. > - This limitation means that such users are essentially locked out of > any action. > - If all users in the account inherit the read-only role, then no one > in the account is able to provision anything — reducing the role to a > purely passive viewer state. > > This seems contradictory: while the role is meant to allow > non-disruptive observation of resources, in practice it’s extremely > limited and offers very little real utility unless the account also > includes other users with more privileged roles. > > To be clear: I understand that CloudStack supports dynamic roles and > that custom roles can be defined to fit specific use cases. My point > here is that the default “Read-Only User” role, as shipped, seems to > have very limited applicability — and I wonder if anyone is actually > using it in production. > > I’d be very interested in hearing your thoughts. Is there a common use > case I might be overlooking? Has anyone adapted this role successfully > in practice? > > > > > > Best regards, > > -- > Fernando. -- Daan - proIO GmbH - Geschäftsführer: Swen Brüseke Sitz der Gesellschaft: Frankfurt am Main USt-IdNr. DE 267 075 918 Registergericht: Frankfurt am Main - HRB 86239 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
