XenCenter

Calculating RBAC roles

Note:

XenCenter YYYY.x.x is currently in preview and is not supported for production use. Note that any future references to production support apply only when XenCenter YYYY.x.x and XenServer 8 go from preview status to general availability.

You can use XenCenter YYYY.x.x to manage your XenServer 8 and Citrix Hypervisor 8.2 CU1 non-production environments. However, to manage your Citrix Hypervisor 8.2 CU1 production environment, use XenCenter 8.2.7. For more information, see the XenCenter 8.2.7 documentation.

You can install XenCenter 8.2.7 and XenCenter YYYY.x.x on the same system. Installing XenCenter YYYY.x.x does not overwrite your XenCenter 8.2.7 installation.

When I log in, how does XenServer compute the roles for the session?

  1. The Active Directory server authenticates the subject. During authentication, Active Directory also determines if the subject belongs to any other containing groups in Active Directory.

  2. XenServer then verifies the following information:

    • The roles assigned to the subject
    • The roles assigned to any Active Directory groups that the subject is a member of.
  3. XenServer applies the highest level of permissions to the subject. Because subjects can be members of multiple Active Directory groups, they inherit all permissions of the associated roles.

A diagram showing that Users can be in Groups in Active Directory. Both Users and Groups in Active Directory are mapped to Subjects in XenCenter. Subjects can have a role. Roles have a set of Permissions.

This illustration shows the following information:

  • Subject 2 (Group 2) is the Pool Operator.
  • User 1 is a member of Group 2.
  • When Subject 3 (User 1) tries to log in, they inherit both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles.
  • The Pool Operator role is higher, so the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.
Calculating RBAC roles