Citrix Systems 6 Managing Users

Managing Users

Defining users, groups, roles and permissions allows you to control who has access to your XenServer hosts and

pools and what actions they can perform.

When you first install XenServer, a user account is added to XenServer automatically. This account is the local

super user (LSU), or root, which is authenticated locally by the XenServer computer.

The local super user (LSU), or root, is a special user account used for system administration and has all rights or

permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated

by XenServer and not an external authentication service. This means that if the external authentication service

fails, the LSU can still log in and manage the system. The LSU can always access the XenServer physical ser ver

through SSH.

You can create additional users by adding their Active Directory accounts through either the XenCenter's Users

tab or the CLI. All editions of XenServer can add user accounts from Active Directory. However, only XenServer

Enterprise and Platinum editions let you assign these Active Directory accounts different levels of permissions

(through the Role Based Access Control (RBAC) feature). If you do not use Active Directory in your environment,

you are limited to the LSU account.

The permissions assigned to users when you first add their accounts varies according to your version of XenServer:

• In the XenServer and XenServer Advanced edition, when you create (add) new users, XenServer automatically

grants the accounts access to all features available in that version.

• In the XenServer Enterprise and Platinum editions, when you create new users, XenServer does not assign

newly created user accounts roles automatically. As a result, these accounts do not have any access to the

XenServer pool until you assign them a role.

If you do not have one of these editions, you can add users from Active Directory. However, all users will have

the Pool Administrator role.

These permissions are granted through roles, as discussed in the section called “Authenticating Users With Active

Directory (AD)”.

If you want to have multiple user accounts on a server or a pool, you must use Active Directory user accounts for

authentication. This lets XenServer users log in to a pool's XenServers using their Windows domain credentials.

The only way you can configure varying levels of access for specific users is by enabling Active Directory

authentication, adding user accounts, and assign roles to those accounts.

Active Directory users can use the xe CLI (passing appropriate -u and -pw arguments) and also connect to the

host using XenCenter. Authentication is done on a per-resource pool basis.

Access is controlled by the use of subjects. A subject in XenServer maps to an entity on your directory server

(either a user or a group). When external authentication is enabled, the credentials used to create a session are

first checked against the local root credentials (in case your directory server is unavailable) and then against the

subject list. To permit access, you must create a subject entry for the person or group you wish to grant access

to. This can be done using XenCenter or the xe CLI.

If you are familiar with XenCenter, note that the XenServer CLI uses slightly different terminology to refer to Active

Directory and user account features:

XenCenter Term XenServer CLI Term

Users Subjects

Add users Add subjects