CLOUDSTACK-4852: Since upgrade to 4.2 only users at the zone-attached domain level can manipulate VMs

Changes:
- The vmprofile owner passed in to the planner should be the VM's account and not the caller
- Do not do the access check for Root Admin

engine/orchestration/src/com/cloud/vm/VirtualMachineManagerImpl.java

@@ -842,7 +842,8 @@ public class VirtualMachineManagerImpl extends ManagerBase implements VirtualMac
                     }
                 }
 
-                VirtualMachineProfileImpl vmProfile = new VirtualMachineProfileImpl(vm, template, offering, account, params);
+                Account owner = _entityMgr.findById(Account.class, vm.getAccountId());              
+                VirtualMachineProfileImpl vmProfile = new VirtualMachineProfileImpl(vm, template, offering, owner, params);
                 DeployDestination dest = null;
                 try {
                     dest = _dpMgr.planDeployment(vmProfile, plan, avoids);

server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java

@@ -460,12 +460,12 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy
         boolean isExplicit = false;
         VirtualMachine vm = vmProfile.getVirtualMachine();
 
+
         // check if zone is dedicated. if yes check if vm owner has acess to it.
         DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId());
-        if (dedicatedZone != null) {
+        if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) {
             long accountDomainId = vmProfile.getOwner().getDomainId();
             long accountId = vmProfile.getOwner().getAccountId();
-
             // If a zone is dedicated to an account then all hosts in this zone
             // will be explicitly dedicated to
             // that account. So there won't be any shared hosts in the zone, the