> i like to restrict the users as much as possible. Sure, but our permission works on resources (VMs, Storages), not on API paths. For example /cluster/resources simply lists all resources you have access to (VM.Audit or VMs, Datastore.Audit for storage).