Definitions of RBAC roles and permissions
Note:
XenCenter YYYY.x.x is not yet supported for use with Citrix Hypervisor 8.2 CU1 in production environments. To manage your Citrix Hypervisor 8.2 CU1 production environment, use XenCenter 8.2.7. For more information, see the XenCenter 8.2.7 documentation.
You can install XenCenter 8.2.7 and XenCenter YYYY.x.x on the same system. Installing XenCenter YYYY.x.x does not overwrite your XenCenter 8.2.7 installation.
Permissions available for each role
The following table summarizes which permissions are available for each role. For details on the operations available for each permission, see the next section.
Permissions | Pool Admin | Pool Operator | VM Power Admin | VM Admin | VM Operator | Read Only |
---|---|---|---|---|---|---|
Assign/modify roles | X | |||||
Log in to (physical) server consoles (through SSH and XenCenter) | X | |||||
Server backup/restore | X | |||||
Install a TLS certificate on a server | X | |||||
Apply updates to a pool | X | X | ||||
Rolling Pool Upgrade | X | |||||
Import OVF/OVA packages and disk images | X | X | ||||
Import XVA packages | X | X | X | |||
Export OVF/OVA/XVA packages and disk images | X | X | X | X | ||
Set cores per socket | X | X | X | X | ||
Convert VMs using XenServer Conversion Manager | X | |||||
Switch-port locking | X | X | ||||
Multipathing | X | X | ||||
Log out active user connections | X | X | ||||
Monitor host and dom0 resources with NRPE | X | |||||
Monitor host and dom0 resources with SNMP | X | |||||
Create and dismiss alerts | X | X | ||||
Cancel task of any user | X | X | ||||
Pool management | X | X | ||||
Live migration | X | X | X | |||
Storage live migration | X | X | X | |||
VM advanced operations | X | X | X | |||
VM create/destroy operations | X | X | X | X | ||
VM change CD media | X | X | X | X | X | |
VM change power state | X | X | X | X | X | |
View VM consoles | X | X | X | X | X | |
XenCenter view management operations | X | X | X | X | X | |
Cancel own tasks | X | X | X | X | X | X |
Read audit logs | X | X | X | X | X | X |
Configure, initialize, enable, disable Workload Balancing (WLB) | X | X | ||||
Apply WLB optimization recommendations | X | X | ||||
Accept WLB placement recommendations | X | X | X | |||
Display WLB configuration | X | X | X | X | X | X |
Generate WLB reports | X | X | X | X | X | X |
Connect to pool and read all pool metadata | X | X | X | X | X | X |
Configure virtual GPU | X | X | ||||
View virtual GPU configuration | X | X | X | X | X | X |
Gather diagnostic information | X | X | ||||
vCPU Hotplug | X | X | X | X | ||
Configure Changed Block Tracking | X | X | X | X | ||
List changed blocks | X | X | X | X | X | |
Configure PVS-Accelerator | X | X | ||||
View PVS-Accelerator configuration | X | X | X | X | X | X |
Scheduled Snapshots (Add/Remove VMs to existing Snapshots Schedules) | X | X | X | |||
Scheduled Snapshots (Add/Modify/Delete Snapshot Schedules) | X | X |
Definitions of permissions
This section provides more details about permissions:
Assign/modify roles
- Add and remove users
- Add and remove roles from users
- Enable and disable Active Directory integration (being joined to the domain)
This permission lets the user grant themself any permission or perform any task.
Warning:
This role lets the user disable the Active Directory integration and all subjects added from Active Directory.
Log in to server consoles
- Server console access through ssh
- Server console access through XenCenter
Warning:
With access to a root shell, the assignee can arbitrarily reconfigure the entire system, including RBAC.
Server backup/restore
- Back up and restore servers
- Back up and restore pool metadata
The ability to restore a backup lets the assignee revert RBAC configuration changes.
Install a TLS certificate on a server
This permission enables an administrator to install a TLS certificate on a server that runs Citrix Hypervisor 8.2 or later.
Apply updates to a pool
- Synchronize your pool with the content delivery network (CDN)
- Apply the updates by migrating VMs off each host if necessary and running any necessary update tasks such as rebooting the host, restarting the toolstack, or rebooting the VMs
Rolling Pool Upgrade
- Upgrade all hosts in a pool using the Rolling Pool Upgrade wizard.
Import OVF/OVA packages and disk images:**
- Import OVF and OVA packages
- Import disk images
Import XVA packages:**
- Import XVA packages
Export OVF/OVA/XVA packages and disk images:**
- Export VMs as OVF/OVA packages
- Export VMs as XVA packages
- Export disk images
Set cores-per-socket
- Set the number of cores per socket for the VM’s virtual CPUs
This permission enables the user to specify the topology for the VM’s virtual CPUs.
Convert VMs using XenServer Conversion Manager
- Convert VMware ESXi/vCenter VMs to XenServer VMs
This permission lets the user convert workloads from VMware to XenServer. Convert these workloads by copying batches of VMware ESXi/vCenter VMs to the XenServer environment.
Switch-port locking
- Control traffic on a network
This permission lets the user block all traffic on a network by default, or define specific IP addresses from which a VM can send traffic.
Multipathing
- Enable multipathing
- Disable multipathing
Log out active user connections
- Ability to disconnect logged in users
Monitor host and dom0 resources with NRPE
For more information, see Monitor host and dom0 resources with NRPE.
Monitor host and dom0 resources with SNMP
For more information, see Monitor host and dom0 resources with SNMP.
Create/dismiss alerts
- Configure XenCenter to generate alerts when resource usage crosses certain thresholds
- Remove alerts from the Alerts view
Warning: A user with this permission can dismiss alerts for the entire pool.
Note: The ability to view alerts is part of the Connect to Pool and read all pool metadata permission.
Cancel task of any user
- Cancel any user’s running task
This permission lets the user request XenServer cancel an in-progress task initiated by any user.
Pool management
- Set pool properties (naming, default SRs)
- Create a clustered pool
- Enable, disable, and configure HA
- Set per-VM HA restart priorities
- Configure DR and perform DR failover, failback, and test failover operations.
- Enable, disable, and configure Workload Balancing (WLB)
- Add and remove server from pool
- Emergency transition to pool coordinator
- Emergency pool coordinator address
- Emergency recovery of pool members
- Designate new pool coordinator
- Manage pool and server certificates
- Patching
- Set server properties
- Configure server logging
- Enable and disable servers
- Shut down, reboot, and power-on servers
- Restart toolstack
- System status reports
- Apply license
- Live migration of all other VMs on a server to another server, due to either WLB, maintenance mode, or high availability
- Configure server management interfaces and secondary interfaces
- Disable server management
- Delete crashdumps
- Add, edit, and remove networks
- Add, edit, and remove PBDs/PIFs/VLANs/Bonds/SRs
Live migration
- Migrate VMs from one host to another host when the VMs are on storage shared by both hosts
Storage live migration
- Migrate from one host to another host when the VMs are not on storage shared between the two hosts
- Move Virtual Disk (VDIs) from one SR to another SR
VM advanced operations
- Adjust VM memory (through Dynamic Memory Control)
- Create a VM snapshot with memory, take VM snapshots, and roll-back VMs
- Migrate VMs
- Start VMs, including specifying physical server
- Resume VMs
Log in to server consoles
VM create/destroy operations
- Install and delete VMs
- Clone/copy VMs
- Add, remove, and configure virtual disk/CD devices
- Add, remove, and configure virtual network devices
- VM configuration change
VM change CD media
- Eject current CD
- Insert new CD
VM change power state
- Start VMs (automatic placement)
- Shut down VMs
- Reboot VMs
- Suspend VMs
- Resume VMs (automatic placement)
Log out active user connections
View VM consoles
- See and interact with VM consoles
Cancel own tasks
- Enables users to cancel their own tasks
Read audit log
- Download XenServer audit log
Configure, initialize, enable, disable WLB
- Configure WLB
- Initialize WLB and change WLB servers
- Enable WLB
- Disable WLB
Apply WLB optimization recommendations
- Apply any optimization recommendations that appear in the WLB tab
Modify WLB report subscriptions
- Change the WLB report generated or its recipient
Accept WLB placement recommendations
- Select one of the servers Workload Balancing recommends for placement (“star” recommendations)
Display WLB configuration
- View WLB settings for a pool as shown on the WLB tab
Generate WLB reports
- View and run WLB reports, including the Pool Audit Trail report
XenCenter view management operations
- Create and modify global XenCenter folders
- Create and modify global XenCenter custom fields
- Create and modify global XenCenter searches
Connect to pool and read all pool metadata
- Log in to pool
- View pool metadata
- View historical performance data
- View logged in users
- View users and roles
- View tasks
- View messages
- Register for and receive events
Configure virtual GPU
- Specify a pool-wide placement policy
- Assign a virtual GPU to a VM
- Remove a virtual GPU from a VM
- Modify allowed virtual GPU types
- Create, destroy, or assign a GPU group
View virtual GPU configuration
- View GPUs, GPU placement policies, and virtual GPU assignments.
Gather diagnostic information from XenServer
- Initiate GC collection and heap compaction
- Gather garbage collection statistics
- Gather database statistics
- Gather network statistics
Configure changed block tracking
- Enable changed block tracking
- Disable changed block tracking
- Destroy the data associated with a snapshot and retain the metadata
- Get the NBD connection information for a VDI
- Export a VDI over an NBD connection
Changed block tracking can be enabled only for licensed instances of XenServer Premium Edition.
List changed blocks
- Compare two VDI snapshots and list the blocks that have changed between them.
Configure PVS-Accelerator
- Enable PVS-Accelerator
- Disable PVS-Accelerator
- Update PVS-Accelerator cache configuration
- Add or Remove PVS-Accelerator cache configuration
View PVS-Accelerator configuration
- View the status of PVS-Accelerator
Scheduled snapshots (Add/Remove VMs to existing Snapshots Schedules)
- Add VMs to existing snapshot schedules
- Remove VMs from existing snapshot schedules
Scheduled snapshots (Add/Modify/Delete Snapshot Schedules)
- Add snapshot schedules
- Modify snapshot schedules
- Delete snapshot schedules