On 07/27/2011 01:11 PM, Scott Seago wrote:
Also note, that in all cases, permission records are tied to specific objects/resources. i.e. there's no such thing as granting a role to someone in the abstract -- a user has a role on an object (i.e. on a resource, in a particular context). So a user might belong to an Admin role on one pool (i.e. can see anyone's instances there), a User role in another (i.e. can create instances there and manage those instances, once created, but no access to anyone else's instances in the pool) and no role at all in a third. For example, Hugh might be an admin on "aeolus dev pool", a user in "qe pool" and no role at all in the "web production" pool.
This is great! Now the question is: "Can Hugh access IWHD via its CLI and if he can then how IWHD makes sure that Hugh does not mess with the images that are/will be deployed into "web production" pool. If he can access the image and change it then we got a big problem.