Calculating RBAC roles

When I log in, how does Citrix Hypervisor compute the roles for the session?

  1. The Active Directory server authenticates the subject. During authentication, Active Directory also determines if the subject belongs to any other containing groups in Active Directory.
  2. Citrix Hypervisor then verifies which roles have been assigned to (a) the subject and (b) to any Active Directory groups to which it is a member.
  3. Citrix Hypervisor applies the highest level of permissions to the subject. Because subjects can be members of multiple Active Directory groups, they will inherit all of the permissions of the associated roles.

A diagram showing that Users can be in Groups in Active Directory. Both Users and Groups in Active Directory can be mapped to Subjects in XenCenter. Subjects can have a role. Roles have a set of Permissions.

In this illustration, since Subject 2 (Group 2) is the Pool Operator and User 1 is a member of Group 2, when Subject 3 (User 1) tries to log in, he or she inherits both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles. Since the Pool Operator role is higher, the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.