Hi *, I'm a bit confused regarding the policy requirements to grant a user access to the vnc console via horizon dashboard. Since we have 10 years of history in our cloud, I tried to remove legacy stuff, e.g. old policy files and try with the defaults to see what we're missing. I recently upgraded this cloud to Caracal. It seems like currently, only a user with the admin role has access. Searching for some hints, I found the deprecated policies in (everything is commented): /usr/share/openstack-dashboard/openstack_dashboard/conf/nova_policy.yaml And then the defaults here: /usr/share/openstack-dashboard/openstack_dashboard/conf/default_policies/nova.yaml In the code I found two checks for "os_compute_api:os-consoles:show": class ConsoleTab(policy.PolicyTargetMixin, tabs.Tab): name = _("Console") slug = "console" template_name = "project/instances/_detail_console.html" preload = False policy_rules = (("compute", "os_compute_api:os-consoles:show"),) class InstanceDetailTabs(policy.PolicyTargetMixin, tabs.DetailTabsGroup): slug = "instance_details" tabs = (OverviewTab, InterfacesTab, LogTab, ConsoleTab, AuditTab) sticky = True policy_rules = (("compute", "os_compute_api:os-consoles:show"),) from /usr/share/openstack-dashboard/openstack_dashboard/dashboards/project/instances/tabs.py. But I don't find any policy like that in the defaults. So I'm wondering what the current recommendation would be. Should I add only "os_compute_api:os-consoles:show" to /usr/share/openstack-dashboard/openstack_dashboard/conf/default_policies/nova.yaml? I'm not sure if that would override the other defaults (because of one entry only) or if this would be an additional policy (haven't been playing with those for some time now). Could anyone point me to the best approach? Thanks! Eugen