Hey Fernando, No reactions either means no one is interested in the question, or the more optimistic view is that no one else is using it. I don't but the theory is that read-only users can see/list anything in their domain and in any domain below theirs, including VMs, networks. and capacity data. I am not pleading it is useful, just that there is an intended use. Maybe it is worth discussing if the role should be removed...
On Fri, Jul 18, 2025 at 3:12 AM Fernando Alvarez <lugano...@gmail.com> wrote: > > Hi everyone, > > I’d like to raise a question regarding the “Read-Only User” role as > described in the CloudStack documentation: > > https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#read-only-user > > According to the docs, this role is intended to grant users visibility into > resources, without allowing them to modify anything — which is perfectly > reasonable in principle. > > However, in practice, I’ve found the role to be quite unusable in most > real-world scenarios. Here’s why: > > - A user under an account assigned the “Read-Only User” role can see > resources created within that same account — including those created by > other users of the same account — but cannot create any resources > themselves. > - This limitation means that such users are essentially locked out of any > action. > - If all users in the account inherit the read-only role, then no one in > the account is able to provision anything — reducing the role to a purely > passive viewer state. > > This seems contradictory: while the role is meant to allow non-disruptive > observation of resources, in practice it’s extremely limited and offers > very little real utility unless the account also includes other users with > more privileged roles. > > To be clear: I understand that CloudStack supports dynamic roles and that > custom roles can be defined to fit specific use cases. My point here is > that the default “Read-Only User” role, as shipped, seems to have very > limited applicability — and I wonder if anyone is actually using it in > production. > > I’d be very interested in hearing your thoughts. Is there a common use case > I might be overlooking? Has anyone adapted this role successfully in > practice? > > > > > > Best regards, > > -- > Fernando. -- Daan
