Add authorization logic to domain groups and user accounts provisioned in bulk
A new dedicated virtual lab manager
role needs to be defined within NMaaS that would have the following capabilities/restrictions:
- create new domain groups and manage existing domain groups deployed by the user in question
- a virtual lab manager should not have access to domain groups that haven't been provisioned by them. These domain groups should not even be visible in the web interface.
- a given domain group can be shared with multiple lab managers, so that they have permission to add/restrict the set of available applications.
A virtual lab manager while having the opportunity to deploy users in bulk, should not have privileges to change sensitive information such as passwords or email addresses for existing users. This should be an additional capability which would be allocated on a case-by-case basis (not by default to all virtual lab managers).