From e0d2423f065847aefb5f0ea99757dcbeaa1e5c02 Mon Sep 17 00:00:00 2001
From: Prachi Damle <prachi@cloud.com>
Date: Wed, 20 Nov 2013 16:53:59 -0800
Subject: [PATCH] Refactoring account_type for Domain_Admin and Normal_User
 types

---
 api/src/com/cloud/user/AccountService.java    |  4 ++++
 .../acl/dao/AclGroupAccountMapDao.java        |  4 ++++
 .../acl/dao/AclGroupAccountMapDaoImpl.java    | 17 +++++++++++++-
 .../management/MockAccountManager.java        | 12 ++++++++++
 server/src/com/cloud/acl/DomainChecker.java   | 16 ++++++++-----
 .../src/com/cloud/api/ApiResponseHelper.java  |  4 ++--
 .../com/cloud/api/query/QueryManagerImpl.java | 20 ++++++++--------
 .../com/cloud/network/NetworkServiceImpl.java |  4 ++--
 .../cloud/projects/ProjectManagerImpl.java    |  6 ++---
 .../ResourceLimitManagerImpl.java             |  2 +-
 .../cloud/server/ManagementServerImpl.java    |  2 +-
 .../cloud/servlet/ConsoleProxyServlet.java    |  3 ++-
 .../cloud/tags/TaggedResourceManagerImpl.java |  2 +-
 .../src/com/cloud/usage/UsageServiceImpl.java |  2 +-
 .../com/cloud/user/AccountManagerImpl.java    | 23 ++++++++++++++++++-
 .../src/com/cloud/vm/UserVmManagerImpl.java   |  2 +-
 .../cloud/user/MockAccountManagerImpl.java    | 12 ++++++++++
 17 files changed, 104 insertions(+), 31 deletions(-)

diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 89bbbd8285e..6773b248bf5 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -89,6 +89,10 @@ public interface AccountService {
 
     boolean isRootAdmin(long accountId);
 
+    boolean isDomainAdmin(long accountId);
+
+    boolean isNormalUser(long accountId);
+
     User getActiveUserByRegistrationToken(String registrationToken);
 
     void markUserRegistered(long userId);
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
index 344a8609569..eb3e0c68a95 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
@@ -33,4 +33,8 @@ public interface AclGroupAccountMapDao extends GenericDao<AclGroupAccountMapVO,
     AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
 
     void removeAccountFromGroups(long accountId);
+
+    AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
+
+    AclGroupAccountMapVO findAccountInUserGroup(long accountId);
 }
diff --git a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
index 989dd6a6bbe..bae8578dba5 100644
--- a/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
+++ b/engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
@@ -82,6 +82,22 @@ public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMap
         return findOneBy(sc);
     }
 
+    @Override
+    public AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
+        SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+        sc.setParameters("accountId", accountId);
+        sc.setParameters("groupId", 3);
+        return findOneBy(sc);
+    }
+
+    @Override
+    public AclGroupAccountMapVO findAccountInUserGroup(long accountId) {
+        SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
+        sc.setParameters("accountId", accountId);
+        sc.setParameters("groupId", 1);
+        return findOneBy(sc);
+    }
+
     @Override
     public AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
         SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
@@ -100,5 +116,4 @@ public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMap
             s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
         }
     }
-
 }
diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
index 4afc0437c1c..1b018f9a8d4 100644
--- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
+++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
@@ -385,6 +385,18 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
         // TODO Auto-generated method stub
 
     }
+
+    @Override
+    public boolean isDomainAdmin(long accountId) {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+    @Override
+    public boolean isNormalUser(long accountId) {
+        // TODO Auto-generated method stub
+        return false;
+    }
     
 
 }
diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java
index a65e77b5be5..4df968ef74f 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -72,7 +72,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
         }
         long domainId = domain.getId();
         
-        if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+        if (_accountService.isNormalUser(caller.getId())) {
             if (caller.getDomainId() != domainId) {
                 throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getId());
             }
@@ -132,7 +132,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
         } else if (entity instanceof AffinityGroup) {
             return false;
         } else {
-            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+            if (_accountService.isNormalUser(caller.getId())) {
                 Account account = _accountDao.findById(entity.getAccountId());
                 
                 if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
@@ -172,7 +172,9 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			}		
 			//if account is normal user or domain admin
 			//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering)
-            else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+            else if (_accountService.isNormalUser(account.getId())
+                    || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
+                    || _accountService.isDomainAdmin(account.getId())) {
                 if (account.getDomainId() == dof.getDomainId()) {
 					return true; //disk offering and account at exact node
                 } else {
@@ -208,7 +210,9 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			}		
 			//if account is normal user or domain admin
 			//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering)
-            else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+            else if (_accountService.isNormalUser(account.getId())
+                    || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
+                    || _accountService.isDomainAdmin(account.getId())) {
                 if (account.getDomainId() == so.getDomainId()) {
 					return true; //service offering and account at exact node
                 } else {
@@ -244,7 +248,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			}		
 			//if account is normal user
 			//check if account's domain is a child of zone's domain
-            else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+            else if (_accountService.isNormalUser(account.getId()) || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
                 // if zone is dedicated to an account check that the accountId
                 // matches.
                 DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
@@ -280,7 +284,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			}
 			//if account is domain admin
 			//check if the account's domain is either child of zone's domain, or if zone's domain is child of account's domain
-            else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+            else if (_accountService.isDomainAdmin(account.getId())) {
                 if (account.getDomainId() == zone.getDomainId()) {
 					return true; //zone and account at exact node
                 } else {
diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java
index fd20f2b928d..68514733903 100755
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@@ -1941,12 +1941,12 @@ public class ApiResponseHelper implements ResponseGenerator {
         Account jobOwner = _accountMgr.getAccount(userJobOwner.getAccountId());
 
         //check permissions
-        if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+        if (_accountMgr.isNormalUser(caller.getId())) {
             //regular user can see only jobs he owns
             if (caller.getId() != jobOwner.getId()) {
                 throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
             }
-        } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+        } else if (_accountMgr.isDomainAdmin(caller.getId())) {
             _accountMgr.checkAccess(caller, null, true, jobOwner);
         }
 
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 367f4181f4d..882e4066a17 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -1297,9 +1297,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             accountId = caller.getId();
         }
 
-        if (domainId == null && accountId == null && (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || !listAll)) {
+        if (domainId == null && accountId == null && (_accountMgr.isNormalUser(caller.getId()) || !listAll)) {
             accountId = caller.getId();
-        } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || (isRecursive && !listAll)) {
+        } else if (_accountMgr.isDomainAdmin(caller.getId()) || (isRecursive && !listAll)) {
             DomainVO domain = _domainDao.findById(caller.getDomainId());
             path = domain.getPath();
         }
@@ -2290,7 +2290,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         List<Long> domainIds = null;
         // For non-root users, only return all offerings for the user's domain,
         // and everything above till root
-        if ((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
+        if ((_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId()))
                 || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
             // find all domain Id up to root domain for this account
             domainIds = new ArrayList<Long>();
@@ -2436,7 +2436,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
         }
 
         // boolean includePublicOfferings = false;
-        if ((caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
+        if ((_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId()))
                 || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
             // For non-root users.
             if (isSystem) {
@@ -2570,7 +2570,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                 // only list zones associated // with this domain, private zone
                 sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
 
-                if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                if (_accountMgr.isNormalUser(account.getId())) {
                     // accountId == null (zones dedicated to a domain) or
                     // accountId = caller
                     SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
@@ -2580,7 +2580,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                     sc.addAnd("accountId", SearchCriteria.Op.SC, sdc);
                 }
 
-            } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+            } else if (_accountMgr.isNormalUser(account.getId())) {
                 // it was decided to return all zones for the user's domain, and
                 // everything above till root
                 // list all zones belonging to this domain, and all of its
@@ -2627,7 +2627,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                             dedicatedZoneIds.toArray(new Object[dedicatedZoneIds.size()]));
                 }
 
-            } else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN
+            } else if (_accountMgr.isDomainAdmin(account.getId())
                     || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
                 // it was decided to return all zones for the domain admin, and
                 // everything above till root, as well as zones till the domain
@@ -2765,7 +2765,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
         boolean listAll = false;
         if (templateFilter != null && templateFilter == TemplateFilter.all) {
-            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+            if (_accountMgr.isNormalUser(caller.getId())) {
                 throw new InvalidParameterValueException("Filter " + TemplateFilter.all
                         + " can be specified by admin only");
             }
@@ -2869,7 +2869,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
             // add criteria for domain path in case of domain admin
             if ((templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable)
-                    && (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
+                    && (_accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
                 sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
             }
 
@@ -3062,7 +3062,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
 
         boolean listAll = false;
         if (isoFilter != null && isoFilter == TemplateFilter.all) {
-            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+            if (_accountMgr.isNormalUser(caller.getId())) {
                 throw new InvalidParameterValueException("Filter " + TemplateFilter.all
                         + " can be specified by admin only");
             }
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index 690365f3aaa..14ed6e2792e 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -1198,7 +1198,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
         }
 
         // Regular user can create Guest Isolated Source Nat enabled network only
-        if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL
+        if (_accountMgr.isNormalUser(caller.getId())
                 && (ntwkOff.getTrafficType() != TrafficType.Guest || ntwkOff.getGuestType() != Network.GuestType.Isolated
                         && areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat))) {
             throw new InvalidParameterValueException("Regular user can create a network only from the network" +
@@ -1407,7 +1407,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
 
         // 1) default is system to false if not specified
         // 2) reset parameter to false if it's specified by the regular user
-        if ((isSystem == null || caller.getType() == Account.ACCOUNT_TYPE_NORMAL) && id == null) {
+        if ((isSystem == null || _accountMgr.isNormalUser(caller.getId())) && id == null) {
             isSystem = false;
         }
 
diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java
index b97f1e8c610..d16aba2d41c 100755
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@@ -184,7 +184,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         Account owner = caller;
 
         //check if the user authorized to create the project
-        if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL && !_allowUserToCreateProject) {
+        if (_accountMgr.isNormalUser(caller.getId()) && !_allowUserToCreateProject) {
             throw new PermissionDeniedException("Regular user is not permitted to create a project");
         }
 
@@ -432,7 +432,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         //ROOT admin always can access the project
         if (_accountMgr.isRootAdmin(caller.getId())) {
             return true;
-        } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+        } else if (_accountMgr.isDomainAdmin(caller.getId())) {
             Account owner = _accountMgr.getAccount(accountId);
             _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId()));
             return true;
@@ -446,7 +446,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
         //ROOT admin always can access the project
         if (_accountMgr.isRootAdmin(caller.getId())) {
             return true;
-        } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
+        } else if (_accountMgr.isDomainAdmin(caller.getId())) {
             Account owner = _accountMgr.getAccount(accountId);
             _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId()));
             return true;
diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
index 55097ce6068..1ce76a9311e 100755
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@@ -614,7 +614,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
             }
 
             if ((caller.getAccountId() == accountId.longValue()) &&
-                (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN ||
+                (_accountMgr.isDomainAdmin(caller.getId()) ||
                 caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
                 // If the admin is trying to update his own account, disallow.
                 throw new PermissionDeniedException("Unable to update resource limit for his own account " + accountId + ", permission denied");
diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java
index 5af088d1eee..6dfcdf99741 100755
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@@ -896,7 +896,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
         boolean result =true;
         List<Long> permittedAccountIds = new ArrayList<Long>();
 
-        if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+        if (_accountService.isNormalUser(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
             permittedAccountIds.add(caller.getId());
         } else {
             DomainVO domain = _domainDao.findById(caller.getDomainId());
diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
index b7f4b40d742..463f4a5eb26 100644
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@@ -480,7 +480,8 @@ public class ConsoleProxyServlet extends HttpServlet {
                         s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
                                 + " does not match the account id in session " + accountObj.getId() + " and caller is a normal user");
                     }
-                } else if(accountObj.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
+                } else if (_accountMgr.isDomainAdmin(accountObj.getId())
+                        || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
                     if(s_logger.isDebugEnabled()) {
                         s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
                                 + " does not match the account id in session " + accountObj.getId() + " and the domain-admin caller does not manage the target domain");
diff --git a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
index d8d26891d86..83e108de6b0 100644
--- a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
+++ b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java
@@ -279,7 +279,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
                         Long accountId = accountDomainPair.first();
                         if (accountId != null) {
                             _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
-                        } else if (domainId != null && caller.getType() != Account.ACCOUNT_TYPE_NORMAL) {
+                        } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
                             //check permissions;
                             _accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
                         } else {
diff --git a/server/src/com/cloud/usage/UsageServiceImpl.java b/server/src/com/cloud/usage/UsageServiceImpl.java
index d22319b45ea..226f7215742 100755
--- a/server/src/com/cloud/usage/UsageServiceImpl.java
+++ b/server/src/com/cloud/usage/UsageServiceImpl.java
@@ -164,7 +164,7 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
             //If account_id or account_name is explicitly mentioned, list records for the specified account only even if the caller is of type admin
             if (_accountService.isRootAdmin(caller.getId())) {
                 isAdmin = true;
-            } else if(caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN){
+            } else if (_accountService.isDomainAdmin(caller.getId())) {
                 isDomainAdmin = true;
             }
             s_logger.debug("Account details not available. Using userContext accountId: " + accountId);
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index d8f2ae64c6f..6a5b29c62d7 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -375,6 +375,26 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         return false;
     }
 
+    @Override
+    public boolean isDomainAdmin(long accountId) {
+        // refer to account_group_map and check if account is in Domain 'Admin' group
+        AclGroupAccountMapVO domainAdminGroupMember = _aclGroupAccountDao.findAccountInDomainAdminGroup(accountId);
+        if (domainAdminGroupMember != null) {
+            return true;
+        }
+        return false;
+    }
+
+    @Override
+    public boolean isNormalUser(long accountId) {
+        // refer to account_group_map and check if account is in 'User' group
+        AclGroupAccountMapVO user = _aclGroupAccountDao.findAccountInUserGroup(accountId);
+        if (user != null) {
+            return true;
+        }
+        return false;
+    }
+
     public boolean isResourceDomainAdmin(short accountType) {
         return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
     }
@@ -2352,7 +2372,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
         if (projectId != null) {
             if (!forProjectInvitation) {
                 if (projectId.longValue() == -1) {
-                    if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                    if (isNormalUser(caller.getId())) {
                         permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
                     } else {
                         domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
@@ -2516,4 +2536,5 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     public UserAccount getUserByApiKey(String apiKey) {
         return _userAccountDao.getUserByApiKey(apiKey);
     }
+
 }
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 224c30e81ff..d7d4e70fe27 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -4203,7 +4203,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
         // VV 1: verify the two users
         Account caller = CallContext.current().getCallingAccount();
         if (!_accountMgr.isRootAdmin(caller.getId())
-                && caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only
+                && !_accountMgr.isDomainAdmin(caller.getId())) { // only
             // root
             // admin
             // can
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index 756abee8856..085670c7f42 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -350,4 +350,16 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
         return null;
     }
 
+    @Override
+    public boolean isDomainAdmin(long accountId) {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+    @Override
+    public boolean isNormalUser(long accountId) {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
 }