Product Documentation

Assign roles to users and groups

Jun 12, 2013

All XenServer users must have an RBAC role. In XenServer v6.2.0, you must first assign a role to the newly created user before they can use the account. Note that XenServer does not automatically assign a role to the newly created user. As a result, these accounts will not have any access to the XenServer pool until you assign them a role.

Assigning roles to users in XenServer v6.1.0 and earlier

In XenServer v6.1.0 and earlier, when new users are added, they are automatically assigned the Pool Administrator role. In XenServer Enterprise and higher, when you add new users, XenServer does not assign newly added user accounts roles automatically. You must assign roles to new accounts separately.

Note: Before you can assign a role to a user or group, you must add the user or group's Active Directory account to XenServer after joining the associated domain as described in Join a domain and add RBAC users.

You can assign a user a different role by one of the following methods:

  1. Change the role assigned to the user in the Select Roles dialog in XenCenter. This requires the Assign/modify role permission, which is only available to a Pool Administrator.
  2. Modify the user's containing group membership in Active Directory (so that the user becomes part of a group that is assigned a different role).

If, on separate occasions, an administrator indirectly applies multiple roles to a user (for example, by the user being a member of multiple groups), XenServer grants the user the permissions from the highest role to which he or she was assigned.

To change or assign a role to a user or group

  1. In the Resources pane, select the pool or server that contains the user or group.
  2. Click the Users tab.
  3. In the Users and Groups with Access pane, select the user or group to which you want to assign permissions.
  4. Click Change Role.
  5. In the Select Roles dialog, select the role you want to apply and click Save. For information about the permissions associated with each role, see Definitions of RBAC roles and permissions.
    Tip: When you are assigning a role, you can select multiple users simultaneously by pressing the CTRL key and selecting the user accounts.
  6. (Optional.) When changing a role, if the user is currently logged on to the pool and you want them to receive their new permissions immediately, click Logout User. This disconnects all of the user's sessions on the pool so the user receives a new session with the modified role.
    Note: When changing a role, for the new role to take effect, the user must log out and log back in again. You can force this log out by clicking the Logout User button. (Forcing logouts requires the Logout active user connections permission, which is available to a Pool Administrator or Pool Operator).