Account_Type Refactoring for Root Admin Role

- change the AccountService::isRootAdmin(short) to isRootAdmin(long accountId); - Change all callers - Change all places that check the account.getType() directly to call the AccountManagerImpl.
2025-10-26 08:42:29 +01:00 · 2013-09-24 15:30:31 -07:00 · 2013-09-24 15:30:31 -07:00 · aba54356d5
commit aba54356d5
parent ddae23c168
50 changed files with 150 additions and 162 deletions
--- a/api/src/com/cloud/user/Account.java
+++ b/api/src/com/cloud/user/Account.java
@ -24,13 +24,6 @@ import org.apache.cloudstack.api.InternalIdentity;
 public interface Account extends ControlledEntity, InternalIdentity, Identity {
    public enum Type {
        Normal,
        Admin,
        DomainAdmin,
        CustomerCare,
        Project
    }
    public enum State {
        disabled,
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@ -86,7 +86,7 @@ public interface AccountService {
    User getUserIncludingRemoved(long userId);
-    boolean isRootAdmin(short accountType);
+    boolean isRootAdmin(long accountId);
    User getActiveUserByRegistrationToken(String registrationToken);
--- a/api/src/com/cloud/user/ResourceLimitService.java
+++ b/api/src/com/cloud/user/ResourceLimitService.java
@ -88,7 +88,7 @@ public interface ResourceLimitService {
     * @param type
     * @return
     */
-    public long findCorrectResourceLimitForAccount(short accountType, Long limit, ResourceType type);
+    public long findCorrectResourceLimitForAccount(long accountId, Long limit, ResourceType type);
    /**
     * Finds the resource limit for a specified domain and type. If the domain has an infinite limit, will check
--- a/api/src/org/apache/cloudstack/api/BaseCmd.java
+++ b/api/src/org/apache/cloudstack/api/BaseCmd.java
@ -473,16 +473,6 @@ public abstract class BaseCmd {
        return 0;
    }
    public static boolean isAdmin(short accountType) {
        return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
                (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
                (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
    }
    public static boolean isRootAdmin(short accountType) {
        return ((accountType == Account.ACCOUNT_TYPE_ADMIN));
    }
    public void setFullUrlParams(Map<String, String> map) {
        this.fullUrlParams = map;
    }
--- a/api/src/org/apache/cloudstack/api/BaseListTemplateOrIsoPermissionsCmd.java
+++ b/api/src/org/apache/cloudstack/api/BaseListTemplateOrIsoPermissionsCmd.java
@ -81,7 +81,7 @@ public class BaseListTemplateOrIsoPermissionsCmd extends BaseCmd {
        List<String> accountNames = _templateService.listTemplatePermissions(this);
        Account account = CallContext.current().getCallingAccount();
-        boolean isAdmin = (isAdmin(account.getType()));
+        boolean isAdmin = (_accountService.isAdmin(account.getType()));
        TemplatePermissionsResponse response = _responseGenerator.createTemplatePermissionsResponse(accountNames, id, isAdmin);
        response.setResponseName(getCommandName());
--- a/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java
@ -121,7 +121,7 @@ public class CreateUserCmd extends BaseCmd {
    @Override
    public long getEntityOwnerId() {
        Account account = CallContext.current().getCallingAccount();
-        if ((account == null) || isAdmin(account.getType())) {
+        if ((account == null) || _accountService.isAdmin(account.getType())) {
            if ((domainId != null) && (accountName != null)) {
                Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
                if (userAccount != null) {
--- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java
@ -96,7 +96,7 @@ public class CreateAffinityGroupCmd extends BaseAsyncCreateCmd {
    @Override
    public long getEntityOwnerId() {
        Account account = CallContext.current().getCallingAccount();
-        if ((account == null) || isAdmin(account.getType())) {
+        if ((account == null) || _accountService.isAdmin(account.getType())) {
            if ((domainId != null) && (accountName != null)) {
                Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
                if (userAccount != null) {
--- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java
@ -102,7 +102,7 @@ public class DeleteAffinityGroupCmd extends BaseAsyncCmd {
    @Override
    public long getEntityOwnerId() {
        Account account = CallContext.current().getCallingAccount();
-        if ((account == null) || isAdmin(account.getType())) {
+        if ((account == null) || _accountService.isAdmin(account.getType())) {
            if ((domainId != null) && (accountName != null)) {
                Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
                if (userAccount != null) {
--- a/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java
@ -16,10 +16,6 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.iso;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@ -34,7 +30,6 @@ import org.apache.log4j.Logger;
 import com.cloud.template.VirtualMachineTemplate.TemplateFilter;
 import com.cloud.user.Account;
 import com.cloud.utils.Pair;
@APICommand(name = "listIsos", description="Lists all available ISO files.", responseObject=TemplateResponse.class)
 public class ListIsosCmd extends BaseListTaggedResourcesCmd {
@ -119,7 +114,8 @@ public class ListIsosCmd extends BaseListTaggedResourcesCmd {
    public boolean listInReadyState() {
        Account account = CallContext.current().getCallingAccount();
        // It is account specific if account is admin type and domainId and accountName are not null
-        boolean isAccountSpecific = (account == null || isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null);
+        boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType()))
                && (getAccountName() != null) && (getDomainId() != null);
        // Show only those that are downloaded.
        TemplateFilter templateFilter = TemplateFilter.valueOf(getIsoFilter());
        boolean onlyReady = (templateFilter == TemplateFilter.featured) || (templateFilter == TemplateFilter.selfexecutable) || (templateFilter == TemplateFilter.sharedexecutable)
--- a/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java
@ -101,7 +101,7 @@ public class UpdateResourceCountCmd extends BaseCmd {
    @Override
    public long getEntityOwnerId() {
        Account account = CallContext.current().getCallingAccount();
-        if ((account == null) || isAdmin(account.getType())) {
+        if ((account == null) || _accountService.isAdmin(account.getType())) {
            if ((domainId != null) && (accountName != null)) {
                Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
                if (userAccount != null) {
--- a/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java
@ -93,7 +93,7 @@ public class CreateSecurityGroupCmd extends BaseCmd {
    @Override
    public long getEntityOwnerId() {
        Account account = CallContext.current().getCallingAccount();
-        if ((account == null) || isAdmin(account.getType())) {
+        if ((account == null) || _accountService.isAdmin(account.getType())) {
            if ((domainId != null) && (accountName != null)) {
                Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
                if (userAccount != null) {
--- a/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java
@ -92,7 +92,7 @@ public class DeleteSSHKeyPairCmd extends BaseCmd {
    @Override
    public long getEntityOwnerId() {
        Account account = CallContext.current().getCallingAccount();
-        if ((account == null) || isAdmin(account.getType())) {
+        if ((account == null) || _accountService.isAdmin(account.getType())) {
            if ((domainId != null) && (accountName != null)) {
                Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
                if (userAccount != null) {
--- a/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java
+++ b/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java
@ -16,10 +16,6 @@
 // under the License.
 package org.apache.cloudstack.api.command.user.template;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiCommandJobType;
 import org.apache.cloudstack.api.ApiConstants;
@ -27,7 +23,6 @@ import org.apache.cloudstack.api.BaseListTaggedResourcesCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.response.ListResponse;
 import org.apache.cloudstack.api.response.TemplateResponse;
 import org.apache.cloudstack.api.response.VolumeResponse;
 import org.apache.cloudstack.api.response.ZoneResponse;
 import org.apache.cloudstack.context.CallContext;
@ -35,7 +30,6 @@ import org.apache.log4j.Logger;
 import com.cloud.template.VirtualMachineTemplate.TemplateFilter;
 import com.cloud.user.Account;
 import com.cloud.utils.Pair;
@APICommand(name = "listTemplates", description="List all public, private, and privileged templates.", responseObject=TemplateResponse.class)
 public class ListTemplatesCmd extends BaseListTaggedResourcesCmd {
@ -98,7 +92,8 @@ public class ListTemplatesCmd extends BaseListTaggedResourcesCmd {
        Account account = CallContext.current().getCallingAccount();
        // It is account specific if account is admin type and domainId and accountName are not null
-        boolean isAccountSpecific = (account == null || isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null);
+        boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType()))
                && (getAccountName() != null) && (getDomainId() != null);
        // Show only those that are downloaded.
        TemplateFilter templateFilter = TemplateFilter.valueOf(getTemplateFilter());
        boolean onlyReady = (templateFilter == TemplateFilter.featured) || (templateFilter == TemplateFilter.selfexecutable) || (templateFilter == TemplateFilter.sharedexecutable)
--- a/plugins/api/rate-limit/src/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java
+++ b/plugins/api/rate-limit/src/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java
@ -156,7 +156,7 @@ public class ApiRateLimitServiceImpl extends AdapterBase implements APIChecker,
        }
        Long accountId = user.getAccountId();
        Account account = _accountService.getAccount(accountId);
-        if ( _accountService.isRootAdmin(account.getType())){
+        if (_accountService.isRootAdmin(account.getId())) {
            // no API throttling on root admin
            return true;
        }
--- a/plugins/api/rate-limit/test/org/apache/cloudstack/ratelimit/ApiRateLimitTest.java
+++ b/plugins/api/rate-limit/test/org/apache/cloudstack/ratelimit/ApiRateLimitTest.java
@ -70,7 +70,7 @@ public class ApiRateLimitTest {
 	    testAccount = acct;
 	    when(_accountService.getAccount(5L)).thenReturn(testAccount);
-	    when(_accountService.isRootAdmin(Account.ACCOUNT_TYPE_NORMAL)).thenReturn(false);
+        when(_accountService.isRootAdmin(5L)).thenReturn(false);
 	}
    @Before
--- a/server/src/com/cloud/acl/AffinityGroupAccessChecker.java
+++ b/server/src/com/cloud/acl/AffinityGroupAccessChecker.java
@ -51,7 +51,7 @@ public class AffinityGroupAccessChecker extends DomainChecker {
            if (_affinityGroupService.isAdminControlledGroup(group)) {
                if (accessType != null && accessType == AccessType.ModifyEntry
-                        && !_accountMgr.isRootAdmin(caller.getType())) {
+                        && !_accountMgr.isRootAdmin(caller.getId())) {
                    throw new PermissionDeniedException(caller + " does not have permission to operate with resource "
                            + entity);
                }
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@ -41,6 +41,7 @@ import com.cloud.storage.LaunchPermissionVO;
 import com.cloud.storage.dao.LaunchPermissionDao;
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.component.AdapterBase;
@ -57,6 +58,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
    @Inject NetworkModel _networkMgr;
    @Inject
    private DedicatedResourceDao _dedicatedDao;
    @Inject
    AccountService _accountService;
    protected DomainChecker() {
        super();
@ -97,7 +100,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
            Account owner = _accountDao.findById(template.getAccountId());
            // validate that the template is usable by the account
            if (!template.isPublicTemplate()) {
-                if (BaseCmd.isRootAdmin(caller.getType()) || (owner.getId() == caller.getId())) {
+                if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) {
                    return true;
                }
                //special handling for the project case
@ -114,7 +117,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
            } else {
                // Domain admin and regular user can delete/modify only templates created by them
                if (accessType != null && accessType == AccessType.ModifyEntry) {
-                    if (!BaseCmd.isRootAdmin(caller.getType()) && owner.getId() != caller.getId()) {
+                    if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) {
                        // For projects check if the caller account can access the project account
                        if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) {
                            throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
@ -164,7 +167,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			return true;
        } else {
 			//admin has all permissions
-            if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+            if (_accountService.isRootAdmin(account.getId())) {
 				return true;
 			}		
 			//if account is normal user or domain admin
@ -200,7 +203,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			return true;
        } else {
 			//admin has all permissions
-            if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+            if (_accountService.isRootAdmin(account.getId())) {
 				return true;
 			}		
 			//if account is normal user or domain admin
@ -236,7 +239,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			return true;
        } else {
 			//admin has all permissions
-            if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+            if (_accountService.isRootAdmin(account.getId())) {
 				return true;
 			}		
 			//if account is normal user
--- a/server/src/com/cloud/api/ApiDBUtils.java
+++ b/server/src/com/cloud/api/ApiDBUtils.java
@ -696,8 +696,8 @@ public class ApiDBUtils {
        return _resourceLimitMgr.findCorrectResourceLimitForAccount(account, type);
    }
-    public static long findCorrectResourceLimit(Long limit, short accountType, ResourceType type) {
+    public static long findCorrectResourceLimit(Long limit, long accountId, ResourceType type) {
-        return _resourceLimitMgr.findCorrectResourceLimitForAccount(accountType, limit, type);
+        return _resourceLimitMgr.findCorrectResourceLimitForAccount(accountId, limit, type);
    }
    public static long getResourceCount(ResourceType type, long accountId) {
--- a/server/src/com/cloud/api/ApiResponseHelper.java
+++ b/server/src/com/cloud/api/ApiResponseHelper.java
@ -681,7 +681,7 @@ public class ApiResponseHelper implements ResponseGenerator {
        // show this info to admin only
        Account account = CallContext.current().getCallingAccount();
-        if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+        if (_accountMgr.isRootAdmin(account.getId())) {
            VlanVO vl = ApiDBUtils.findVlanById(ipAddr.getVlanId());
            if (vl != null) {
                ipResponse.setVlanId(vl.getUuid());
@ -2176,7 +2176,8 @@ public class ApiResponseHelper implements ResponseGenerator {
        response.setReservedIpRange(reservation);
        // return vlan information only to Root admin
-        if (network.getBroadcastUri() != null && CallContext.current().getCallingAccount().getType() == Account.ACCOUNT_TYPE_ADMIN) {
+        if (network.getBroadcastUri() != null
                && _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
            String broadcastUri = network.getBroadcastUri().toString();
            response.setBroadcastUri(broadcastUri);
            String vlan = "N/A";
--- a/server/src/com/cloud/api/ApiServer.java
+++ b/server/src/com/cloud/api/ApiServer.java
@ -409,7 +409,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
        } catch (InsufficientCapacityException ex){
            s_logger.info(ex.getMessage());
            String errorMsg = ex.getMessage();
-            if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){
+            if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
                // hide internal details to non-admin user for security reason
                errorMsg = BaseCmd.USER_ERROR_MESSAGE;
            }
@ -420,7 +420,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
        } catch (ResourceUnavailableException ex){
            s_logger.info(ex.getMessage());
            String errorMsg = ex.getMessage();
-            if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){
+            if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
                // hide internal details to non-admin user for security reason
                errorMsg = BaseCmd.USER_ERROR_MESSAGE;
            }
@ -431,7 +431,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
        } catch (Exception ex){
            s_logger.error("unhandled exception executing api command: " + ((command == null) ? "null" : command[0]), ex);
            String errorMsg = ex.getMessage();
-            if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){
+            if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
                // hide internal details to non-admin user for security reason
                errorMsg = BaseCmd.USER_ERROR_MESSAGE;
            }
@ -565,7 +565,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
            List<? extends AsyncJob> jobs = null;
            // list all jobs for ROOT admin
-            if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+            if (_accountMgr.isRootAdmin(account.getId())) {
                jobs = _asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), null);
            } else {
                jobs = _asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), account.getId());
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@ -2234,7 +2234,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
        // if a domainId is provided, we just return the disk offering
        // associated with this domain
        if (domainId != null) {
-            if (account.getType() == Account.ACCOUNT_TYPE_ADMIN || isPermissible(account.getDomainId(), domainId)) {
+            if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
                // check if the user's domain == do's domain || user's domain is
                // a child of so's domain for non-root users
                sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
@ -2355,14 +2355,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
        Boolean isSystem = cmd.getIsSystem();
        String vmTypeStr = cmd.getSystemVmType();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && isSystem) {
+        if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) {
            throw new InvalidParameterValueException("Only ROOT admins can access system's offering");
        }
        // Keeping this logic consistent with domain specific zones
        // if a domainId is provided, we just return the so associated with this
        // domain
-        if (domainId != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) {
            // check if the user's domain == so's domain || user's domain is a
            // child of so's domain
            if (!isPermissible(caller.getDomainId(), domainId)) {
@ -2761,7 +2761,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
            }
            // if template is not public, perform permission check here
-            if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+            if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
                Account owner = _accountMgr.getAccount(template.getAccountId());
                _accountMgr.checkAccess(caller, null, true, owner);
            }
--- a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java
@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
 import java.util.List;
 import javax.ejb.Local;
 import javax.inject.Inject;
 import org.apache.cloudstack.api.response.AccountResponse;
 import org.apache.cloudstack.api.response.ResourceLimitAndCountResponse;
@ -32,6 +33,7 @@ import com.cloud.api.query.vo.AccountJoinVO;
 import com.cloud.api.query.vo.UserAccountJoinVO;
 import com.cloud.configuration.Resource.ResourceType;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@ -42,6 +44,8 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
    public static final Logger s_logger = Logger.getLogger(AccountJoinDaoImpl.class);
    private SearchBuilder<AccountJoinVO> acctIdSearch;
    @Inject
    public AccountManager _accountMgr;
    protected AccountJoinDaoImpl() {
@ -69,11 +73,11 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
        accountResponse.setBytesReceived(account.getBytesReceived());
        accountResponse.setBytesSent(account.getBytesSent());
-        boolean accountIsAdmin = (account.getType() == Account.ACCOUNT_TYPE_ADMIN);
+        boolean accountIsAdmin = (_accountMgr.isRootAdmin(account.getId()));
        setResourceLimits(account, accountIsAdmin, accountResponse);
        //get resource limits for projects
-        long projectLimit = ApiDBUtils.findCorrectResourceLimit(account.getProjectLimit(), account.getType(), ResourceType.project);
+        long projectLimit = ApiDBUtils.findCorrectResourceLimit(account.getProjectLimit(), account.getId(), ResourceType.project);
        String projectLimitDisplay = (accountIsAdmin || projectLimit == -1) ? "Unlimited" : String.valueOf(projectLimit);
        long projectTotal = (account.getProjectTotal() == null) ? 0 : account.getProjectTotal();
        String projectAvail = (accountIsAdmin || projectLimit == -1) ? "Unlimited" : String.valueOf(projectLimit - projectTotal);
@ -103,7 +107,7 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
    @Override
    public void setResourceLimits(AccountJoinVO account, boolean accountIsAdmin, ResourceLimitAndCountResponse response) {
        // Get resource limits and counts
-        long vmLimit = ApiDBUtils.findCorrectResourceLimit(account.getVmLimit(), account.getType(), ResourceType.user_vm);
+        long vmLimit = ApiDBUtils.findCorrectResourceLimit(account.getVmLimit(), account.getId(), ResourceType.user_vm);
        String vmLimitDisplay = (accountIsAdmin || vmLimit == -1) ? "Unlimited" : String.valueOf(vmLimit);
        long vmTotal = (account.getVmTotal() == null) ? 0 : account.getVmTotal();
        String vmAvail = (accountIsAdmin || vmLimit == -1) ? "Unlimited" : String.valueOf(vmLimit - vmTotal);
--- a/server/src/com/cloud/api/query/dao/DataCenterJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/DataCenterJoinDaoImpl.java
@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
 import java.util.List;
 import javax.ejb.Local;
 import javax.inject.Inject;
 import org.apache.log4j.Logger;
@ -31,6 +32,7 @@ import org.apache.cloudstack.api.response.ZoneResponse;
 import org.apache.cloudstack.context.CallContext;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@ -44,6 +46,8 @@ public class DataCenterJoinDaoImpl extends GenericDaoBase<DataCenterJoinVO, Long
    private SearchBuilder<DataCenterJoinVO> dofIdSearch;
    @Inject
    public AccountManager _accountMgr;
    protected DataCenterJoinDaoImpl() {
@ -70,7 +74,7 @@ public class DataCenterJoinDaoImpl extends GenericDaoBase<DataCenterJoinVO, Long
            zoneResponse.setDescription(dataCenter.getDescription());
        }
-        if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN)) {
+        if ((account == null) || (_accountMgr.isRootAdmin(account.getId()))) {
            zoneResponse.setDns1(dataCenter.getDns1());
            zoneResponse.setDns2(dataCenter.getDns2());
            zoneResponse.setIp6Dns1(dataCenter.getIp6Dns1());
--- a/server/src/com/cloud/api/query/dao/DomainRouterJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/DomainRouterJoinDaoImpl.java
@ -35,6 +35,7 @@ import com.cloud.network.Networks.TrafficType;
 import com.cloud.network.router.VirtualRouter;
 import com.cloud.network.router.VirtualRouter.Role;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@ -46,6 +47,8 @@ public class DomainRouterJoinDaoImpl extends GenericDaoBase<DomainRouterJoinVO,
    @Inject
    private ConfigurationDao  _configDao;
    @Inject
    public AccountManager _accountMgr;
    private final SearchBuilder<DomainRouterJoinVO> vrSearch;
@ -78,7 +81,7 @@ public class DomainRouterJoinDaoImpl extends GenericDaoBase<DomainRouterJoinVO,
        routerResponse.setRedundantState(router.getRedundantState().toString());
        if (caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
-                || caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+                || _accountMgr.isRootAdmin(caller.getId())) {
            if (router.getHostId() != null) {
                routerResponse.setHostId(router.getHostUuid());
                routerResponse.setHostName(router.getHostName());
--- a/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java
@ -44,6 +44,7 @@ import com.cloud.storage.VMTemplateHostVO;
 import com.cloud.storage.VMTemplateStorageResourceAssoc.Status;
 import com.cloud.template.VirtualMachineTemplate;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@ -59,6 +60,8 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
    @Inject
    private ConfigurationDao  _configDao;
    @Inject
    public AccountService _accountService;
    private final SearchBuilder<TemplateJoinVO> tmpltIdPairSearch;
@ -99,7 +102,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
    private String getTemplateStatus(TemplateJoinVO template){
        boolean isAdmin = false;
        Account caller = CallContext.current().getCallingAccount();
-        if ((caller == null) || BaseCmd.isAdmin(caller.getType())) {
+        if ((caller == null) || _accountService.isAdmin(caller.getType())) {
            isAdmin = true;
        }
@ -319,7 +322,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
        Account caller = CallContext.current().getCallingAccount();
        boolean isAdmin = false;
-        if ((caller == null) || BaseCmd.isAdmin(caller.getType())) {
+        if ((caller == null) || _accountService.isAdmin(caller.getType())) {
            isAdmin = true;
        }
--- a/server/src/com/cloud/api/query/dao/UserVmJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/UserVmJoinDaoImpl.java
@ -41,6 +41,7 @@ import com.cloud.api.query.vo.ResourceTagJoinVO;
 import com.cloud.api.query.vo.UserVmJoinVO;
 import com.cloud.hypervisor.Hypervisor.HypervisorType;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.uservm.UserVm;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
@ -56,7 +57,8 @@ public class UserVmJoinDaoImpl extends GenericDaoBase<UserVmJoinVO, Long> implem
    @Inject
    private ConfigurationDao  _configDao;
-
+    @Inject
    public AccountManager _accountMgr;
    private final SearchBuilder<UserVmJoinVO> VmDetailSearch;
    private final SearchBuilder<UserVmJoinVO> activeVmByIsoSearch;
@ -121,7 +123,7 @@ public class UserVmJoinDaoImpl extends GenericDaoBase<UserVmJoinVO, Long> implem
        }
        userVmResponse.setZoneId(userVm.getDataCenterUuid());
        userVmResponse.setZoneName(userVm.getDataCenterName());
-        if ((caller == null) || (caller.getType() == Account.ACCOUNT_TYPE_ADMIN)) {
+        if ((caller == null) || (_accountMgr.isRootAdmin(caller.getId()))) {
            userVmResponse.setInstanceName(userVm.getInstanceName());
            userVmResponse.setHostId(userVm.getHostUuid());
            userVmResponse.setHostName(userVm.getHostName());
--- a/server/src/com/cloud/api/query/dao/VolumeJoinDaoImpl.java
+++ b/server/src/com/cloud/api/query/dao/VolumeJoinDaoImpl.java
@ -39,6 +39,8 @@ import com.cloud.storage.VMTemplateHostVO;
 import com.cloud.storage.VMTemplateStorageResourceAssoc.Status;
 import com.cloud.storage.Volume;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.AccountService;
 import com.cloud.utils.db.GenericDaoBase;
 import com.cloud.utils.db.SearchBuilder;
 import com.cloud.utils.db.SearchCriteria;
@ -51,6 +53,8 @@ public class VolumeJoinDaoImpl extends GenericDaoBase<VolumeJoinVO, Long> implem
    @Inject
    private ConfigurationDao  _configDao;
    @Inject
    public AccountManager _accountMgr;
    private final SearchBuilder<VolumeJoinVO> volSearch;
@ -114,7 +118,8 @@ public class VolumeJoinDaoImpl extends GenericDaoBase<VolumeJoinVO, Long> implem
            volResponse.setSize(volume.getVolumeStoreSize());
            volResponse.setCreated(volume.getCreatedOnStore());
-            if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
+            if (_accountMgr.isRootAdmin(caller.getId())
                    || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
                volResponse.setHypervisor(ApiDBUtils.getHypervisorTypeFromFormat(volume.getFormat()).toString());
            if (volume.getDownloadState() != Status.DOWNLOADED) {
                String volumeStatus = "Processing";
@ -171,7 +176,7 @@ public class VolumeJoinDaoImpl extends GenericDaoBase<VolumeJoinVO, Long> implem
        }
        // return hypervisor and storage pool info for ROOT and Resource domain only
-        if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {   
+        if (_accountMgr.isRootAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
            if (volume.getState() != Volume.State.UploadOp && volume.getHypervisorType() != null) {
                volResponse.setHypervisor(volume.getHypervisorType().toString());
            }
--- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
+++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java
@ -1234,7 +1234,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
        DataCenterVO zone = _zoneDao.findById(zoneId);
        Account account = CallContext.current().getCallingAccount();
        if (Grouping.AllocationState.Disabled == zone.getAllocationState()
-                && !_accountMgr.isRootAdmin(account.getType())) {
+                && !_accountMgr.isRootAdmin(account.getId())) {
            throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
        }
@ -2565,7 +2565,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
        // Check if zone is enabled
        Account caller = CallContext.current().getCallingAccount();
        if (Grouping.AllocationState.Disabled == zone.getAllocationState()
-                && !_accountMgr.isRootAdmin(caller.getType())) {
+                && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
        }
--- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
+++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
@ -1220,7 +1220,7 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy
    private boolean isRootAdmin(ReservationContext reservationContext) {
        if (reservationContext != null) {
            if (reservationContext.getAccount() != null) {
-                return _accountMgr.isRootAdmin(reservationContext.getAccount().getType());
+                return _accountMgr.isRootAdmin(reservationContext.getAccount().getId());
            } else {
                return false;
            }
--- a/server/src/com/cloud/deploy/FirstFitPlanner.java
+++ b/server/src/com/cloud/deploy/FirstFitPlanner.java
@ -468,7 +468,7 @@ public class FirstFitPlanner extends PlannerBase implements DeploymentClusterPla
    private boolean isRootAdmin(ReservationContext reservationContext) {
        if(reservationContext != null){
            if(reservationContext.getAccount() != null){
-                return _accountMgr.isRootAdmin(reservationContext.getAccount().getType());
+                return _accountMgr.isRootAdmin(reservationContext.getAccount().getId());
            }else{
                return false;
            }
--- a/server/src/com/cloud/network/IpAddressManagerImpl.java
+++ b/server/src/com/cloud/network/IpAddressManagerImpl.java
@ -983,7 +983,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
        VlanType vlanType = VlanType.VirtualNetwork;
        boolean assign = false;
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
            // zone is of type DataCenter. See DataCenterVO.java.
            PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, " + "Zone is currently disabled");
            ex.addProxyObject(zone.getUuid(), "zoneId");
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@ -1018,7 +1018,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
        }
        if(displayNetwork != null){
-            if(!_accountMgr.isRootAdmin(caller.getType())){
+            if(!_accountMgr.isRootAdmin(caller.getId())){
                throw new PermissionDeniedException("Only admin allowed to update displaynetwork parameter");
            }
        }else{
@ -1030,7 +1030,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
            throw new InvalidParameterValueException("Specified zone id was not found");
        }
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
            // See DataCenterVO.java
            PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled");
            ex.addProxyObject(zone.getUuid(), "zoneId");
@ -1194,13 +1194,13 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
        }
        // Don't allow to specify vlan if the caller is not ROOT admin
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && (ntwkOff.getSpecifyVlan() || vlanId != null)) {
+        if (!_accountMgr.isRootAdmin(caller.getId()) && (ntwkOff.getSpecifyVlan() || vlanId != null)) {
            throw new InvalidParameterValueException("Only ROOT admin is allowed to specify vlanId");
        }
        if (ipv4) {
        	// For non-root admins check cidr limit - if it's allowed by global config value
-        	if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && cidr != null) {
+            if (!_accountMgr.isRootAdmin(caller.getId()) && cidr != null) {
        		String[] cidrPair = cidr.split("\\/");
        		int cidrSize = Integer.valueOf(cidrPair[1]);
@ -1307,7 +1307,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
            		ip6Gateway, ip6Cidr, displayNetwork, isolatedPvlan);
        }
-        if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN && createVlan) {
+        if (_accountMgr.isRootAdmin(caller.getId()) && createVlan) {
            // Create vlan ip range
            _configMgr.createVlanAndPublicIpRange(pNtwk.getDataCenterId(), network.getId(), physicalNetworkId,
                    false, null, startIP, endIP, gateway, netmask, vlanId, null, startIPv6, endIPv6, ip6Gateway, ip6Cidr);
@ -1960,7 +1960,7 @@ public class NetworkServiceImpl extends ManagerBase implements  NetworkService {
        }
        if(displayNetwork != null){
-            if(!_accountMgr.isRootAdmin(callerAccount.getType())){
+            if (!_accountMgr.isRootAdmin(callerAccount.getId())) {
                throw new PermissionDeniedException("Only admin allowed to update displaynetwork parameter");
            }
            network.setDisplayNetwork(displayNetwork);
--- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
+++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java
@ -695,7 +695,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
            throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.Firewall);
        }
-        if (rule.getType() == FirewallRuleType.System && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (rule.getType() == FirewallRuleType.System && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
        }
--- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java
+++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java
@ -612,7 +612,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
            throw new InvalidParameterValueException("Can't find zone by id specified");
        }
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
            // See DataCenterVO.java
            PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled");
            ex.addProxyObject(zone.getUuid(), "zoneId");
--- a/server/src/com/cloud/projects/ProjectManagerImpl.java
+++ b/server/src/com/cloud/projects/ProjectManagerImpl.java
@ -417,7 +417,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
    @Override
    public boolean canAccessProjectAccount(Account caller, long accountId) {
        //ROOT admin always can access the project
-        if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+        if (_accountMgr.isRootAdmin(caller.getId())) {
            return true;
        } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
            Account owner = _accountMgr.getAccount(accountId);
@ -431,7 +431,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
    @Override
    public boolean canModifyProjectAccount(Account caller, long accountId) {
        //ROOT admin always can access the project
-        if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
+        if (_accountMgr.isRootAdmin(caller.getId())) {
            return true;
        } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
            Account owner = _accountMgr.getAccount(accountId);
--- a/server/src/com/cloud/resource/ResourceManagerImpl.java
+++ b/server/src/com/cloud/resource/ResourceManagerImpl.java
@ -368,7 +368,7 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager,
        }
        Account account = CallContext.current().getCallingAccount();
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
            PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled");
            ex.addProxyObject(zone.getUuid(), "dcId");
            throw ex;
@ -591,7 +591,7 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager,
        }
        Account account = CallContext.current().getCallingAccount();
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
            PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled");
            ex.addProxyObject(zone.getUuid(), "dcId");
            throw ex;
--- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
+++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
@ -263,7 +263,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
        long max = Resource.RESOURCE_UNLIMITED; // if resource limit is not found, then we treat it as unlimited
        // No limits for Root Admin accounts
-        if (_accountMgr.isRootAdmin(account.getType())) {
+        if (_accountMgr.isRootAdmin(account.getId())) {
            return max;
        }
@ -293,15 +293,16 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
    }
    @Override
-    public long findCorrectResourceLimitForAccount(short accountType, Long limit, ResourceType type) {
+    public long findCorrectResourceLimitForAccount(long accountId, Long limit, ResourceType type) {
        long max = Resource.RESOURCE_UNLIMITED; // if resource limit is not found, then we treat it as unlimited
        // No limits for Root Admin accounts
-        if (_accountMgr.isRootAdmin(accountType)) {
+        if (_accountMgr.isRootAdmin(accountId)) {
            return max;
        }
        Account account = _accountDao.findById(accountId);
        // Check if limit is configured for account
        if (limit != null) {
@ -309,7 +310,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
        } else {
            // If the account has an no limit set, then return global default account limits
            Long value = null;
-            if (accountType == Account.ACCOUNT_TYPE_PROJECT) {
+            if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
                value = projectResourceLimitMap.get(type);
            } else {
                value = accountResourceLimitMap.get(type);
@ -366,7 +367,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
        Project project = null;
        // Don't place any limits on system or root admin accounts
-        if (_accountMgr.isRootAdmin(account.getType())) {
+        if (_accountMgr.isRootAdmin(account.getId())) {
            return;
        }
@ -605,7 +606,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
            }
            //only Unlimited value is accepted if account is  Root Admin
-            if (_accountMgr.isRootAdmin(account.getType()) && max.shortValue() != ResourceLimit.RESOURCE_UNLIMITED) {
+            if (_accountMgr.isRootAdmin(account.getId()) && max.shortValue() != ResourceLimit.RESOURCE_UNLIMITED) {
                throw new InvalidParameterValueException("Only " + ResourceLimit.RESOURCE_UNLIMITED + " limit is supported for Root Admin accounts");
            }
--- a/server/src/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/com/cloud/server/ManagementServerImpl.java
@ -1030,7 +1030,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
    listHostsForMigrationOfVM(Long vmId, Long startIndex, Long pageSize) {
        // access check - only root admin can migrate VM
        Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
            }
@ -1240,7 +1240,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
    public Pair<List<? extends StoragePool>, List<? extends StoragePool>> listStoragePoolsForMigrationOfVolume(Long volumeId) {
        // Access check - only root administrator can migrate volumes.
        Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Caller is not a root admin, permission denied to migrate the volume");
            }
@ -1826,7 +1826,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
        _accountMgr.checkAccess(account, AccessType.ModifyEntry, true, template);
        if(cmd.isRoutingType() != null){
-            if(!_accountService.isRootAdmin(account.getType())){
+            if (!_accountService.isRootAdmin(account.getId())) {
                throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
            }
        }
@ -2477,13 +2477,6 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
    }
    public static boolean isAdmin(short accountType) {
        return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
                || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
    }
    @Override
    public List<Class<?>> getCommands() {
        List<Class<?>> cmdList = new ArrayList<Class<?>>();
--- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java
@ -465,7 +465,7 @@ public class ConsoleProxyServlet extends HttpServlet {
        }
        // root admin can access anything
-        if(accountObj.getType() == Account.ACCOUNT_TYPE_ADMIN)
+        if (_accountMgr.isRootAdmin(accountObj.getId()))
            return true;
        switch(vm.getType())
--- a/server/src/com/cloud/storage/StorageManagerImpl.java
+++ b/server/src/com/cloud/storage/StorageManagerImpl.java
@ -631,7 +631,7 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
        }
        // Check if zone is disabled
        Account account = CallContext.current().getCallingAccount();
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
            throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
        }
@ -1675,7 +1675,8 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
            }
            Account account = CallContext.current().getCallingAccount();
-            if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
+            if (Grouping.AllocationState.Disabled == zone.getAllocationState()
                    && !_accountMgr.isRootAdmin(account.getId())) {
                PermissionDeniedException ex = new PermissionDeniedException(
                        "Cannot perform this operation, Zone with specified id is currently disabled");
                ex.addProxyObject(zone.getUuid(), "dcId");
@ -1828,7 +1829,7 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
        }
        Account account = CallContext.current().getCallingAccount();
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
            PermissionDeniedException ex = new PermissionDeniedException(
                    "Cannot perform this operation, Zone with specified id is currently disabled");
            ex.addProxyObject(zone.getUuid(), "dcId");
--- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@ -360,7 +360,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
        }
        // Check if zone is disabled
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
        }
@ -572,7 +572,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
        if (displayVolumeEnabled == null) {
            displayVolumeEnabled = true;
        } else {
-            if (!_accountMgr.isRootAdmin(caller.getType())) {
+            if (!_accountMgr.isRootAdmin(caller.getId())) {
                throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
            }
        }
@ -587,7 +587,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
        }
        // Check if zone is disabled
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
        }
@ -1352,7 +1352,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
            throw new InvalidParameterValueException("Can't find zone by id " + volume.getDataCenterId());
        }
-        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zone.getName());
        }
@ -1383,7 +1383,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
        String mode = cmd.getMode();
        Account account = CallContext.current().getCallingAccount();
-        if (!_accountMgr.isRootAdmin(account.getType()) && ApiDBUtils.isExtractionDisabled()) {
+        if (!_accountMgr.isRootAdmin(account.getId()) && ApiDBUtils.isExtractionDisabled()) {
            throw new PermissionDeniedException("Extraction has been disabled by admin");
        }
@ -1421,7 +1421,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
                // we allow extraction of all ISO based
                // volumes
                boolean isExtractable = template.isExtractable() && template.getTemplateType() != Storage.TemplateType.SYSTEM;
-                if (!isExtractable && account != null && account.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+                if (!isExtractable && account != null && !_accountMgr.isRootAdmin(account.getId())) {
                    // Global admins are always allowed to extract
                    PermissionDeniedException ex = new PermissionDeniedException("The volume with specified volumeId is not allowed to be extracted");
                    ex.addProxyObject(volume.getUuid(), "volumeId");
--- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
+++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java
@ -764,7 +764,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
        long accountLimit = _resourceLimitMgr.findCorrectResourceLimitForAccount(owner, ResourceType.snapshot);
        long domainLimit = _resourceLimitMgr.findCorrectResourceLimitForDomain(_domainMgr.getDomain(owner.getDomainId()), ResourceType.snapshot);
        int max = cmd.getMaxSnaps().intValue();
-        if (owner.getType() != Account.ACCOUNT_TYPE_ADMIN && ((accountLimit != -1 && max > accountLimit) || (domainLimit != -1 && max > domainLimit))) {
+        if (!_accountMgr.isRootAdmin(owner.getId())&& ((accountLimit != -1 && max > accountLimit) || (domainLimit != -1 && max > domainLimit))) {
        	String message = "domain/account";
        	if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
        		message = "domain/project";
--- a/server/src/com/cloud/template/TemplateAdapterBase.java
+++ b/server/src/com/cloud/template/TemplateAdapterBase.java
@ -95,13 +95,6 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
        return true;
    }
    private static boolean isAdmin(short accountType) {
        return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
                (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
                (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
                (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
    }
    @Override
    public TemplateProfile prepare(boolean isIso, Long userId, String name, String displayText, Integer bits,
            Boolean passwordEnabled, Boolean requiresHVM, String url, Boolean isPublic, Boolean featured,
@ -158,7 +151,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
            sshkeyEnabled = Boolean.FALSE;
        }
-        boolean isAdmin = _accountDao.findById(templateOwner.getId()).getType() == Account.ACCOUNT_TYPE_ADMIN;
+        boolean isAdmin = _accountMgr.isRootAdmin(templateOwner.getId());
        if (!isAdmin && zoneId == null) {
            throw new InvalidParameterValueException("Please specify a valid zone Id.");
@ -191,7 +184,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
        _resourceLimitMgr.checkResourceLimit(templateOwner, ResourceType.template);
-        if (templateOwner.getType() != Account.ACCOUNT_TYPE_ADMIN && zoneId == null) {
+        if (!_accountMgr.isRootAdmin(templateOwner.getId()) && zoneId == null) {
            throw new IllegalArgumentException("Only admins can create templates in all zones");
        }
@ -202,7 +195,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
                throw new IllegalArgumentException("Please specify a valid zone.");
            }
            Account caller = CallContext.current().getCallingAccount();
-            if(Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())){
+            if(Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())){
                throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: "+ zoneId );
            }
        }
@ -298,7 +291,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
            throws PermissionDeniedException {
        if (account != null) {
-            if (!isAdmin(account.getType())) {
+            if (!_accountMgr.isAdmin(account.getType())) {
                if ((vmInstanceCheck != null) && (account.getId() != vmInstanceCheck.getAccountId())) {
                    throw new PermissionDeniedException(msg + ". Permission denied.");
                }
--- a/server/src/com/cloud/template/TemplateManagerImpl.java
+++ b/server/src/com/cloud/template/TemplateManagerImpl.java
@ -334,12 +334,12 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
    public VirtualMachineTemplate registerTemplate(RegisterTemplateCmd cmd) throws URISyntaxException, ResourceAllocationException {
        Account account = CallContext.current().getCallingAccount();
        if (cmd.getTemplateTag() != null) {
-            if (!_accountService.isRootAdmin(account.getType())) {
+            if (!_accountService.isRootAdmin(account.getId())) {
                throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied");
            }
        }
        if(cmd.isRoutingType() != null){
-            if(!_accountService.isRootAdmin(account.getType())){
+            if (!_accountService.isRootAdmin(account.getId())) {
                throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
            }
        }
@ -422,7 +422,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
        }
        eventId = eventId == null ? 0 : eventId;
-        if (!_accountMgr.isRootAdmin(caller.getType()) && _disableExtraction) {
+        if (!_accountMgr.isRootAdmin(caller.getId()) && _disableExtraction) {
            throw new PermissionDeniedException("Extraction has been disabled by admin");
        }
@ -453,7 +453,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
            throw new IllegalArgumentException("Please specify a valid zone.");
        }
-        if (!_accountMgr.isRootAdmin(caller.getType()) && !template.isExtractable()) {
+        if (!_accountMgr.isRootAdmin(caller.getId()) && !template.isExtractable()) {
            throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable");
        }
@ -1248,7 +1248,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
            updatedTemplate.setFeatured(isFeatured.booleanValue());
        }
-        if (isExtractable != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {// Only
+        if (isExtractable != null && _accountMgr.isRootAdmin(caller.getId())) {// Only
            // ROOT
            // admins
            // allowed
@ -1258,7 +1258,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
            // powerful
            // attribute
            updatedTemplate.setExtractable(isExtractable.booleanValue());
-        } else if (isExtractable != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        } else if (isExtractable != null && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new InvalidParameterValueException("Only ROOT admins are allowed to modify this attribute.");
        }
@ -1438,18 +1438,13 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
        }
    }
    private static boolean isAdmin(short accountType) {
        return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
                || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
    }
    @Override
    @ActionEvent(eventType = EventTypes.EVENT_TEMPLATE_CREATE, eventDescription = "creating template", create = true)
    public VMTemplateVO createPrivateTemplateRecord(CreateTemplateCmd cmd, Account templateOwner) throws ResourceAllocationException {
        Long userId = CallContext.current().getCallingUserId();
        Account caller = CallContext.current().getCallingAccount();
-        boolean isAdmin = (isAdmin(caller.getType()));
+        boolean isAdmin = (_accountMgr.isAdmin(caller.getType()));
        _accountMgr.checkAccess(caller, null, true, templateOwner);
@ -1459,7 +1454,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
        }
        if (cmd.getTemplateTag() != null) {
-            if (!_accountService.isRootAdmin(caller.getType())) {
+            if (!_accountService.isRootAdmin(caller.getId())) {
                throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied");
            }
        }
@ -1722,7 +1717,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
        // do a permission check
        _accountMgr.checkAccess(account, AccessType.ModifyEntry, true, template);
        if(cmd.isRoutingType() != null){
-            if(!_accountService.isRootAdmin(account.getType())){
+            if (!_accountService.isRootAdmin(account.getId())) {
                throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
            }
        }
--- a/server/src/com/cloud/usage/UsageServiceImpl.java
+++ b/server/src/com/cloud/usage/UsageServiceImpl.java
@ -47,6 +47,7 @@ import com.cloud.projects.ProjectManager;
 import com.cloud.usage.dao.UsageDao;
 import com.cloud.usage.dao.UsageJobDao;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.AccountVO;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.component.Manager;
@ -69,6 +70,8 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
    @Inject private ConfigurationDao _configDao;
    @Inject private ProjectManager _projectMgr;
    private TimeZone _usageTimezone;
    @Inject
    private AccountService _accountService;
    public UsageServiceImpl() {
    }
@ -156,7 +159,7 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
            accountId = caller.getId();
            //List records for all the accounts if the caller account is of type admin. 
            //If account_id or account_name is explicitly mentioned, list records for the specified account only even if the caller is of type admin
-            if(caller.getType() == Account.ACCOUNT_TYPE_ADMIN){
+            if (_accountService.isRootAdmin(caller.getId())) {
                isAdmin = true;
            }
            s_logger.debug("Account details not available. Using userContext accountId: " + accountId);
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@ -344,16 +344,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
    }
    @Override
-    public boolean isRootAdmin(short accountType) {
+    public boolean isRootAdmin(long accountId) {
-        return (accountType == Account.ACCOUNT_TYPE_ADMIN);
+        // refer to account_group_map and check if account is in Root 'Admin'
        // group
        return false;
    }
    public boolean isResourceDomainAdmin(short accountType) {
        return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
    }
-    public boolean isInternalAccount(short accountType) {
+    public boolean isInternalAccount(long accountId) {
-        if (isRootAdmin(accountType) || (accountType == Account.ACCOUNT_ID_SYSTEM)) {
+        Account account = _accountDao.findById(accountId);
        if (isRootAdmin(accountId) || (account.getType() == Account.ACCOUNT_ID_SYSTEM)) {
            return true;
        }
        return false;
@ -377,7 +380,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
    @Override
    public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
-        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) {
+        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
            // no need to make permission checks if the system/root admin makes the call
            if (s_logger.isTraceEnabled()) {
                s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
@ -1973,7 +1976,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                // return null;
            }
            // Whenever the user is able to log in successfully, reset the login attempts to zero
-            if(!isInternalAccount(userAccount.getType()))
+            if (!isInternalAccount(userAccount.getId()))
                updateLoginAttempts(userAccount.getId(), 0, false);
            return userAccount;
@ -2230,7 +2233,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
                } else if (!listAll) {
                    if (id == null) {
                        permittedAccounts.add(caller.getId());
-                    } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+                    } else if (!isRootAdmin(caller.getId())) {
                        domainIdRecursiveListProject.first(caller.getDomainId());
                        domainIdRecursiveListProject.second(true);
                    }
--- a/server/src/com/cloud/user/DomainManagerImpl.java
+++ b/server/src/com/cloud/user/DomainManagerImpl.java
@ -431,7 +431,7 @@ public class DomainManagerImpl extends ManagerBase implements DomainManager, Dom
            }
            _accountMgr.checkAccess(caller, domain);
        } else {
-            if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+            if (!_accountMgr.isRootAdmin(caller.getId())) {
            domainId = caller.getDomainId();
            }
            if (listAll) {
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@ -1800,7 +1800,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
        if (isDisplayVmEnabled == null) {
            isDisplayVmEnabled = vmInstance.isDisplayVm();
        } else{
-            if(!_accountMgr.isRootAdmin(caller.getType())){
+            if(!_accountMgr.isRootAdmin(caller.getId())){
                throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted ");
            }
        }
@ -2471,7 +2471,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
        assert !(requestedIps != null && (defaultIps.getIp4Address() != null || defaultIps.getIp6Address() != null)) : "requestedIp list and defaultNetworkIp should never be specified together";
        if (Grouping.AllocationState.Disabled == zone.getAllocationState()
-                && !_accountMgr.isRootAdmin(caller.getType())) {
+                && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new PermissionDeniedException(
                    "Cannot perform this operation, Zone is currently disabled: "
                            + zone.getId());
@ -2540,7 +2540,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                        // Root admin has access to both VM and AG by default,
                        // but
                        // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
                            if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
                                throw new PermissionDeniedException("Affinity Group " + ag
                                        + " does not belong to the VM's domain");
@ -2551,7 +2551,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
                        // Root admin has access to both VM and AG by default,
                        // but
                        // make sure the owner of these entities is same
-                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+                        if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
                            if (ag.getAccountId() != owner.getAccountId()) {
                                throw new PermissionDeniedException("Affinity Group " + ag
                                        + " does not belong to the VM's account");
@ -2776,7 +2776,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
        }
        if(isDisplayVmEnabled != null){
-            if(!_accountMgr.isRootAdmin(caller.getType())){
+            if(!_accountMgr.isRootAdmin(caller.getId())){
                throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted ");
            }
            vm.setDisplayVm(isDisplayVmEnabled);
@ -3264,7 +3264,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
        Host destinationHost = null;
        if (hostId != null) {
            Account account = CallContext.current().getCallingAccount();
-            if (!_accountService.isRootAdmin(account.getType())) {
+            if (!_accountService.isRootAdmin(account.getId())) {
                throw new PermissionDeniedException(
                        "Parameter hostid can only be specified by a Root Admin, permission denied");
            }
@ -3759,7 +3759,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
    public VirtualMachine vmStorageMigration(Long vmId, StoragePool destPool) {
        // access check - only root admin can migrate VM
        Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
            }
@ -3832,7 +3832,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
            ManagementServerException, VirtualMachineMigrationException {
        // access check - only root admin can migrate VM
        Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
            }
@ -4162,7 +4162,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
            ManagementServerException, VirtualMachineMigrationException {
        // Access check - only root administrator can migrate VM.
        Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
+        if (!_accountMgr.isRootAdmin(caller.getId())) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
            }
@ -4289,7 +4289,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
        // VV 1: verify the two users
        Account caller = CallContext.current().getCallingAccount();
-        if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN
+        if (!_accountMgr.isRootAdmin(caller.getId())
                && caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only
            // root
            // admin
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@ -161,7 +161,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
        AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType);
-        if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getType())) {
+        if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new PermissionDeniedException("Cannot create the affinity group");
        }
@ -176,7 +176,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
        } else if (domainId != null && account == null) {
-            if (!_accountMgr.isRootAdmin(caller.getType())) {
+            if (!_accountMgr.isRootAdmin(caller.getId())) {
                // non root admin need to pass both account and domain
                throw new InvalidParameterValueException(
                        "Unable to create affinity group, account name must be passed with the domainId");
@ -484,7 +484,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
                _accountMgr.checkAccess(caller, null, true, owner, ag);
                // Root admin has access to both VM and AG by default, but make sure the
                // owner of these entities is same
-                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
                    if (ag.getAccountId() != owner.getAccountId()) {
                        throw new PermissionDeniedException("Affinity Group " + ag
                                + " does not belong to the VM's account");
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@ -163,7 +163,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
    }
    @Override
-    public boolean isRootAdmin(short accountType) {
+    public boolean isRootAdmin(long accountId) {
        // TODO Auto-generated method stub
        return false;
    }