RBAC overview

The Role Based Access Control (RBAC) feature lets you assign predefined roles , or sets of XenServer permissions, to Active Directory users and groups. These permissions control the level of access XenServer users (that is, people administering XenServer) have to servers and pools: RBAC is configured and deployed at the pool level. Because users acquire permissions through their assigned role, you simply need to assign a role to a user or their group.

Using Active Directory accounts for XenServer user accounts

RBAC lets you restrict which operations different groups of users can perform, which reduces the likelihood of inexperienced users making disastrous, accidental changes. Assigning RBAC roles also helps prevent unauthorized changes to your resource pools for compliance reasons. To facilitate compliance and auditing, RBAC also provides an Audit Log feature and its corresponding Workload Balancing Pool Audit Trail report.

Users map to Roles. Roles map to a set of Permissions.

RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.

RBAC process

This is the standard process for implementing RBAC and assigning a user or group a role:

  1. Join the domain.
  2. Add an Active Directory user or group to the pool.
  3. Assign (or modify) the user or group’s RBAC role.

Local Super User

The local super user (LSU) , or root, is a special user account used for system administration and has all rights or permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated by XenServer and not an external authentication service. This means that if the external authentication service fails, the LSU can still log in and manage the system. The LSU can always access XenServer physical server through SSH.

RBAC Roles

XenServer comes with six pre-established roles that are designed to align with different functions in an IT organization.

  • Pool Administrator (Pool Admin). This role is the most powerful role available. Pool Admins have full access to all XenServer features and settings. They can perform all operations, including role and user management. They can grant access to XenServer console. As a best practice, Citrix recommends assigning this role to an extremely limited number of users.

    Note: The local super user (root) always has the Pool Admin role. The Pool Admin role has the same permissions as the local root.

  • Pool Operator (Pool Operator). This role is designed to let the assignee manage pool-wide resources, including creating storage, managing servers, managing patches, and creating pools. Pool Operators can configure pool resources. They also have full access to the following features: High Availability (HA), Workload Balancing, and patch management. Pool Operators cannot add users or modify roles.
  • Virtual Machine Power Administrator (VM Power Admin). This role has full access to VM and Template management. They can choose where to start VMs. They have full access to the dynamic memory control features and the VM snapshot feature. In addition, they can set the Home Server and choose where to run workloads. Assigning this role grants the assignee sufficient permissions to provision virtual machines for VM Operator use.
  • Virtual Machine Administrator (VM Admin). This role can manage VMs and Templates and access the storage necessary to complete these tasks. However, this role relies on XenServer to choose where to run workloads and must use the settings in templates for dynamic memory control and the Home Server. (This role cannot access the dynamic memory control features, make snapshots, set the Home Server or choose where to run workloads.)
  • Virtual Machine Operator (VM Operator). This role can use the VMs in a pool and manage their basic lifecycle. VM Operators can interact with the VM consoles and start or stop VMs, provided sufficient hardware resources are available. Likewise, VM Operators can perform start and stop lifecycle operations. The VM Operator role cannot create or destroy VMs, alter VM properties, or server resources.
  • Read-only (Read Only). This role can only view resource pool and performance data.

For information about the permissions associated with each role, see Definitions of RBAC roles and permissions. For information about how RBAC calculates which roles apply to a user, see Calculating RBAC roles.

Note: When you create a new user, you must first assign a role to the newly created user before they can use the account. Note that XenServer does not automatically assign a role to the newly created user.

Upgrading from older XenServer releases

Support for RBAC was introduced at XenServer version 5.6. Any user accounts created in earlier XenServer releases are assigned the role of Pool Admin when upgrading to XenServer version 5.6 or later. This is done for backwards compatibility reasons. When upgrading from older XenServer releases, you should revisit the role associated with each user account to make sure it is still appropriate.