<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">I'm specifically referring to keystone, because you mention "...this role only can create tentants and roles..." If you can create tenants and roles in keystone, you also have the power to create new users and grant yourself additional roles in keystone, due to the binary nature of the policy implementation in keystone today (thereby -- and unfortunately -- defeating the rest of your statement: "... </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">but cannnot change quotas or modify images")</span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">.</span><div>
<div><div><br></div>-Dolph<br>
<br><br><div class="gmail_quote">On Wed, Oct 31, 2012 at 5:29 PM, Guillermo Alvarado <span dir="ltr"><<a href="mailto:guillermoalvarado89@gmail.com" target="_blank">guillermoalvarado89@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I know the implementation is not binay, you can modify the permissions related with nova/glance/swifth of the differents roles. I doubt is if horizon know wich template can view each user...<div class="HOEnZb">
<div class="h5"><div class="gmail_extra"><br><br>
<div class="gmail_quote">2012/10/31 Dolph Mathews <span dir="ltr"><<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
With regard to keystone, the current policy implementation is entirely binary in that a role may either have total control over keystone or none. The implementation in Grizzly is much more granular.<span><font color="#888888"><br clear="all">
<div><br>
</div>-Dolph<br>
<br><br></font></span><div class="gmail_quote"><div><div>On Wed, Oct 31, 2012 at 2:35 PM, Guillermo Alvarado <span dir="ltr"><<a href="mailto:guillermoalvarado89@gmail.com" target="_blank">guillermoalvarado89@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi everyboy,<div><br></div><div>I want to create a new role, named "another-admin", so this role only can create tentants and roles but cannnot change quotas or modify images and all other actions that admin role can do.<br>
<br>I read about create rules in the policy.json of each service (nova, keystone, glance, swift) but my doubt is: How can I limit the views/templates/urls of Horizon, I mean, I want that the role "another-admin" can not see templates related to glance and can not see that menu.</div>
<div><br></div><div>Thanks in advance,</div><div>Best Regards.</div><div><br></div><div><br></div>
<br></div></div><div>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></div></blockquote></div><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>