XenServer's Role Based Access Control (RBAC) lets you assign predefined roles, or sets of XenServer permissions, to Active Directory users and groups. These permissions control the level of access XenServer users (that is, people administering XenServer) have to servers and pools: RBAC is configured and deployed at the pool level. Because users acquire permissions through their assigned role, you simply need to assign a role to a user or their group.
RBAC lets you restrict which operations different groups of users can perform, which reduces the likelihood of inexperienced users making disastrous, accidental changes. Assigning RBAC roles also helps prevent unauthorized changes to your resource pools for compliance reasons. To facilitate compliance and auditing, RBAC also provides an Audit Log feature and its corresponding Workload Balancing Pool Audit Trail report.
RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.
If you do not have one of these editions, you can add users from Active Directory. However, all users will have the Pool Administrator role.
The local super user (LSU), or root, is a special user account used for system administration and has all rights or permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated by XenServer and not an external authentication service. This means that if the external authentication service fails, the LSU can still log in and manage the system. The LSU can always access the XenServer physical server through SSH.
XenServer comes with six pre-established roles that are designed to align with different functions in an IT organization.
For information about the permissions associated with each role, see Definitions of RBAC roles and permissions. For information about how RBAC calculates which roles apply to a user, see Calculating RBAC roles.
Support for RBAC was introduced at XenServer version 5.6. Any user accounts created in earlier XenServer releases are assigned the role of Pool Admin when upgrading to XenServer version 5.6 or later. This is done for backwards compatibility reasons. When upgrading from older XenServer releases, you should revisit the role associated with each user account to make sure it is still appropriate.