Calculating RBAC roles

When I log in, how does XenServer compute the roles for the session?

  1. The Active Directory server authenticates the subject. During authentication, Active Directory also determines if the subject belongs to any other containing groups in Active Directory.
  2. XenServer then verifies which roles have been assigned to (a) the subject and (b) to any Active Directory groups to which it is a member.
  3. XenServer applies the highest level of permissions to the subject. Because subjects can be members of multiple Active Directory groups, they will inherit all of the permissions of the associated roles.

A diagram showing that Users can be in Groups in Acive Directory. Both Users and Groups in Active Directory can be mapped to Subjects in XenCenter. Subjects can have a role. Roles have a set of Permissions.

In this illustration, since Subject 2 (Group 2) is the Pool Operator and User 1 is a member of Group 2, when Subject 3 (User 1) tries to log in, he or she inherits both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles. Since the Pool Operator role is higher, the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.

Calculating RBAC roles