Hi, At the moment SASL VNC authentication in libvirt allows any of the userids to access any of the VNC consoles on a particular libvirt host. There is a section in the qemu_command code marked "TODO: Support ACLs later" and we would really like the ability to have per VM user authorization to the VNC console from within libvirt. Essentially the people who are accessing the VNC consoles are not administrators and have no access to the Host server - so these ACLs need to be completely based on a separate list of userids to any access mechanism for the libvirtd itself. Given that the VNC restrictions are enforced within qemu from the monitor system, I'm presuming the authorization list is going to have to be passed in via XML and be capable of being updated throughout the life of a VM session. Unless there's another way of doing it... What's the feeling about how this feature should be provided within libvirt? If there is somebody out there who has a bit of time at the moment and fancies having a go at implementing this - and, of course, there is agreement on a specification here - then we'd look at sponsoring them to add the feature into Libvirt. Please put your hand up! Regards, Neil Wilson -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list