Definitions of RBAC roles and permissions
Website Visitors:
Contents
Permissions available for each role
The following table summarizes which permissions are available for each role. For details on the operations available for each permission, see the next section.
| Permissions | Pool Admin | Pool Operator | VM Power Admin | VM Admin | VM Operator | Read Only |
|---|---|---|---|---|---|---|
| Assign/modify roles | X | |||||
| Log in to (physical) server consoles (through SSH and XenCenter) | X | |||||
| Server backup/restore | X | |||||
| Import/export OVF/OVA packages; import disk images | X | |||||
| Log out active user connections | X | X | ||||
| Create and dismiss alerts | X | X | ||||
| Cancel task of any user | X | X | ||||
| Pool management | X | X | ||||
| VM advanced operations | X | X | X | |||
| VM create/destroy operations | X | X | X | X | ||
| VM change CD media | X | X | X | X | X | |
| VM change power state | X | X | X | X | X | |
| View VM consoles | X | X | X | X | X | |
| XenCenter view mgmt ops | X | X | X | X | X | |
| Cancel own tasks | X | X | X | X | X | X |
| Read audit logs | X | X | X | X | X | X |
| Configure, Initialize, Enable, Disable WLB | X | X | ||||
| Apply WLB Optimization Recommendations | X | X | ||||
| Modify WLB Report Subscriptions | X | X | ||||
| Accept WLB Placement Recommendations | X | X | X | |||
| Display WLB Configuration | X | X | X | X | X | X |
| Generate WLB Reports | X | X | X | X | X | X |
| Connect to pool and read all pool metadata | X | X | X | X | X | X |
Definitions of permissions
This table provides additional details about permissions:
| Permission | Allows Assignee To | Rationale/Comments |
|---|---|---|
| Assign/modify roles | - Add and remove users - Add and remove roles from users - Enable and disable Active Directory integration (being joined to the domain) |
This permission lets the user grant himself or herself any permission or perform any task.Warning: This role lets the user disable the Active Directory integration and all subjects added from Active Directory. |
| Log in to server consoles | - Server console access through ssh - Server console access through XenCenter |
Warning: With access to a root shell, the assignee could arbitrarily reconfigure the entire system, including RBAC. |
| Server backup/restore VM create/destroy operations |
- Back up and restore servers - Back up and restore pool metadata |
The ability to restore a backup lets the assignee revert RBAC configuration changes. |
| Import/export OVF/OVA packages; import disk images | - Import OVF and OVA packages - Import disk images - Export VMs as OVF/OVA packages |
|
| Log out active user connections | - Ability to disconnect logged in users | |
| Create/dismiss alerts | Warning: A user with this permission can dismiss alerts for the entire pool.Note: The ability to view alerts is part of the Connect to Pool and read all pool metadata permission. | |
| Cancel task of any user | - Cancel any user’s running task | This permission lets the user request XenServer cancel an in-progress task initiated by any user. |
| Pool management | - Set pool properties (naming, default SRs) - Enable, disable, and configure HA - Set per-VM HA restart priorities - Configure DR and perform DR failover, failback and test failover operations. - Enable, disable, and configure Workload Balancing (WLB) - Add and remove server from pool - Emergency transition to master - Emergency master address - Emergency recover slaves - Designate new master - Manage pool and server certificates - Patching - Set server properties - Configure server logging - Enable and disable servers - Shut down, reboot, and power-on servers - System status reports - Apply license - Live migration of all other VMs on a server to another server, due to either WLB, Maintenance Mode, or HA - Configure server management interfaces - Disable server management - Delete crashdumps - Add, edit, and remove networks - Add, edit, and remove PBDs/PIFs/VLANs/Bonds/SRs |
Assign/modify roles |
| VM advanced operations | - Adjust VM memory (through Dynamic Memory Control) - Create a VM snapshot with memory, take VM snapshots, and roll-back VMs - Migrate VMs - Start VMs, including specifying physical server - Resume VMs |
Log in to server consoles |
| VM create/destroy operations | - Install and delete VMs - Clone/copy VMs - Add, remove, and configure virtual disk/CD devices - Add, remove, and configure virtual network devices - Import/export XVA files - VM configuration change |
Server backup/restore VM create/destroy operations |
| VM change CD media | - Eject current CD - Insert new CD |
Import/export OVF/OVA packages; import disk images |
| VM change power state | - Start VMs (automatic placement) - Shut down VMs - Reboot VMs - Suspend VMs - Resume VMs (automatic placement) |
Log out active user connections |
| View VM consoles | - See and interact with VM consoles | Create/dismiss alerts |
| Configure, Initialize, Enable, Disable WLB | - Configure WLB - Initialize WLB and change WLB servers - Enable WLB - Disable WLB |
Cancel task of any user |
| Apply WLB Optimization Recommendations | - Apply any optimization recommendations that appear in the WLB tab | Pool management |
| Modify WLB Report Subscriptions | - Change the WLB report generated or its recipient | VM advanced operations |
| Accept WLB Placement Recommendations | - Select one of the servers Workload Balancing recommends for placement (“star” recommendations) | VM create/destroy operations |
| Display WLB Configuration | - View WLB settings for a pool as shown on the WLB tab | VM change CD media |
| Generate WLB Reports | - View and run WLB reports, including the Pool Audit Trail report | VM change power state |
| XenCenter view management operations | - Create and modify global XenCenter folders - Create and modify global XenCenter custom fields - Create and modify global XenCenter searches |
View VM consoles |
| Cancel own tasks | - Enables users to cancel their own tasks | Configure, Initialize, Enable, Disable WLB |
| Read audit log | - Download the XenServer audit log | Apply WLB Optimization Recommendations |
| Connect to pool and read all pool metadata | - Log in to pool - View pool metadata - View historical performance data - View logged in users - View users and roles - View tasks - View messages - Register for and receive events |
Modify WLB Report Subscriptions |
Want to learn more on Citrix Automations and solutions???
Subscribe to get our latest content by email.