Hi Rhys, if you were planing to give all users within the domain access to all VMs in a domain, but are searching for a way to restrict users with specific rights, then one way is to define custom roles, based on the type "DomainAdmin". This part is important, because only then users of an account based on this custom role will see all VMs.
Create a custom role i.e. "Support Restart All No Create" with exactly the rights required for this role and create a new account "Customer_Support" in the customer domain based on your custom role "Support Restart All - No Create". Assign users to this new account "Customer_Support" and they should see all VMs within the customer domain, but have restricted rights. I am curious to see how others solve this requirement. Best regards, Stephan > Rhys Perry <[email protected]> hat am 05.12.2025 22:19 CET geschrieben: > > > Hi All, > > I've been looking into the way that CloudStack does RBAC, and I've > been struggling up till now to understand how to actually implement > things properly. > > Accounts in CloudStack are the fundamental unit of resource isolation, > however every user within an account is forced to have the same role. > How can RBAC be effectively implemented if multiple users need access > to the same resources, but with different levels of privilege? > > Any help is appreciated, and thanks in advance, > Rhys
