XenCenter

Calculating RBAC roles

When I log in, how does Citrix Hypervisor compute the roles for the session?

  1. The Active Directory server authenticates the subject. During authentication, Active Directory also determines if the subject belongs to any other containing groups in Active Directory.

  2. Citrix Hypervisor then verifies the following information:

    • The roles assigned to the subject
    • The roles assigned to any Active Directory groups that the subject is a member of.
  3. Citrix Hypervisor applies the highest level of permissions to the subject. Because subjects can be members of multiple Active Directory groups, they inherit all permissions of the associated roles.

A diagram showing that Users can be in Groups in Active Directory. Both Users and Groups in Active Directory are mapped to Subjects in XenCenter. Subjects can have a role. Roles have a set of Permissions.

This illustration shows the following information:

  • Subject 2 (Group 2) is the Pool Operator.
  • User 1 is a member of Group 2.
  • When Subject 3 (User 1) tries to log in, they inherit both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles.
  • The Pool Operator role is higher, so the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.

Calculating RBAC roles