|Category:||Core & System|
While using the group system I've noticed that there isn't a way for a user to be a part of multiple groups. This would be nice in order for users to be a part of multiple 'projects', managing different sets of templates/vms/etc. I've tried using the ACL system to achieve such a result, but it too seems limited to keeping users to working with only their group's and public objects. If this type of workflow is not already possible (I may have missed something), it would make a nice addition to OpenNebula.
#1 Updated by Carlos Martín over 8 years ago
Actually we designed the feature with multiple groups in mind, but then we decided to leave only one group to introduce the new code gradually, trying to make it more robust. It can be introduced in future versions without much trouble.
Could you elaborate your use-case, to have a reference of the requirements?
For instance, a user in several groups could see an aggregated view of all their resources, or select the group they are currently working with, etc.
#2 Updated by João Pagaime almost 8 years ago
Hello Carlos Martín, I also share Keith's need (or "nice to add" ideia). As for use-case, imagine a user able to launch VMs both on a develop, testing or production VDC. Another use-case: VDCs for different projects/Services and a user that works on several projects/Services. The workaround seems to ACL permissions on the user (didn't test it) but that doesn't seem to be a good solution.
#3 Updated by Carlos Martín almost 8 years ago
Right now you can't have users in more than one group, but with ACL rules you can make your users be able to see a list of available groups, and choose to change from one to another. Let's say you want user
#7 to be part of groups @105 and @106:
$ oneacl create "#7 GROUP/@105 USE" $ oneacl create "#7 GROUP/@106 USE"
Now the user
#7 can do a 'onegroup list', and he will see both listed. He will be able then to change his own account group, using the command 'oneuser chgrp 7 106'.
In this scenario, your users won't have an aggregated view of all their groups, but this change of context can be desirable in some cases.