Table 2. Definitions of permissions
Permission | Allows Assignee To | Rationale/Comments | |
|
|
|
|
Assign/modify roles | • | Add/remove users | This permission lets the user |
| • | Add/remove roles from users | grant himself or herself any |
| permission or perform any task. | ||
| • | Enable and disable Active | |
|
| ||
|
| Directory integration (being | Warning: This role lets the user |
|
| joined to the domain) | disable the Active Directory |
|
|
| integration and all subjects |
|
|
| added from Active Directory. |
|
|
|
|
Log in to server consoles | • | Server console access | Warning: With access to a |
|
| through ssh | root shell, the assignee could |
| • | Server console access | arbitrarily reconfigure the entire |
| system, including RBAC. | ||
|
| through XenCenter | |
|
|
| |
|
|
|
|
Server backup/restore VM | • | Back up and restore servers | The ability to restore a backup |
create/destroy operations | • | Back up and restore pool | lets the assignee revert RBAC |
| configuration changes. | ||
|
| metadata | |
|
|
| |
|
|
|
|
Log out active user connections | • | Ability to disconnect logged in |
|
|
| users |
|
|
|
|
|
Create/dismiss alerts |
|
| Warning: A user with this |
|
|
| permission can dismiss alerts for |
|
|
| the entire pool. |
|
|
| Note: The ability to view alerts |
|
|
| is part of the Connect to Pool |
|
|
| and read all pool metadata |
|
|
| permission. |
|
|
|
|
Cancel task of any user | • | Cancel any user's running | This permission lets the user |
|
| task | request XenServer cancel an in- |
|
|
| progress task initiated by any |
|
|
| user. |
|
|
|
|
11