Page History
...
id | name | description | uuid | path | removed | created | policy_type |
|---|---|---|---|---|---|---|---|
1 | REGULAR_USER | Domain user role | d2838dce-31f0-11e3-ad37-80f85ce25918 | / | NULL | 2013-10-10 14:13:34 | Static |
2 | ADMIN | Root admin role | d2839c56-31f0-11e3-ad37-80f85ce25918 | / | NULL | 2013-10-10 14:13:34 | Static |
3 | DOMAIN_ADMIN | Domain admin role | d283a7f0-31f0-11e3-ad37-80f85ce25918 | / | NULL | 2013-10-10 14:13:34 | Static |
6 | RESOURCE_OWNER | Resource owner role | d283c794-31f0-11e3-ad37-80f85ce25918 | / | NULL | 2013-10-10 14:13:34 | Dynamic |
iam_group_policy_map
id | group_id | policy_id | removed | created |
|---|---|---|---|---|
1 | 1 | 1 | NULL | 2013-10-10 14:13:34 |
2 | 2 | 2 | NULL | 2013-10-10 14:13:34 |
3 | 3 | 3 | NULL | 2013-10-10 14:13:34 |
...
id | policy_id | permission_id | removed | created |
|---|---|---|---|---|
1 | 61 | 3 | NULL | 2013-10-10 14:13:34 |
2 | 2 | 1 | NULL | 2013-10-10 14:13:34 |
3 | 3 | 2 | NULL | 2013-10-10 14:13:34 |
...
- Find all groups the user belongs to: groupIDs = 1
- Find all 'Effective' policies the groups are associated to: policies = 1, 6
- If any policy 'Allows' the startVirtualMachine API for this Vm Id, grant permission to make this call: Policy Id 6 1 and Permission Id 3 allow the API to be invoked for this user.
- In this case, since this is a regular user and the user is the owner the VM belongs to the "ACCOUNT" scope of the VMuser, then he is granted access using policy Id 61.
A Domain Admin 'domainAdmin' calls this command for a VM in his domain:
...
- Find all groups the user belongs to: groupIDs = 2
- Find all 'Effective' policies the groups are associated to: policies = 2
- Policy Id 3 2 and Permission Id 1 allow 'startVirtualMachine' access for ALL VMs .
...
Overview
Content Tools
Apps