10
they may be able to continue to access the pool using XenCenter or other API sessions that they have already
created. In order to terminate these sessions forcefully, XenCenter and the CLI provide facilities to terminate
individual sessions, or all currently active sessions. See the XenCenter help for more information on procedures
using XenCenter, or below for procedures using the CLI.

Terminating all authenticated sessions using xe

Execute the following CLI command:
xe session-subject-identifier-logout-all

Terminating individual user sessions using xe

1. Determine the subject identifier whose session you wish to log out. Use either the session-subject-
identifier-list or subject-list xe commands to find this (the first shows users who have sessions, the second
shows all users but can be filtered, for example, using a command like xe subject-list other-config:subject-
name=xendt\\user1 – depending on your shell you may need a double-backslash as shown).
2. Use the session-subject-logout command, passing the subject identifier you have determined in the
previous step as a parameter, for example:
xe session-subject-identifier-logout subject-identifier=<subject-id>

Leaving an AD Domain

Warning:
When you leave the domain (that is, disable Active Directory authentication and disconnect
a pool or server from its domain), any users who authenticated to the pool or server with
Active Directory credentials are disconnected.
Use XenCenter to leave an AD domain. See the XenCenter help for more information. Alternately run the pool-
disable-external-auth command, specifying the pool uuid if required.
Note:
Leaving the domain will not cause the host objects to be removed from the AD database. See
this knowledge base article for more information about this and how to remove the disabled
host entries.
Role Based Access Control
Note:
The full RBAC feature is only available in Citrix XenServer Enterprise Edition or higher. To
learn more about upgrading XenServer, click here.
XenServer's Role Based Access Control (RBAC) allows you to assign users, roles, and permissions to control who
has access to your XenServer and what actions they can perform. The XenServer RBAC system maps a user
(or a group of users) to defined roles (a named set of permissions), which in turn have associated XenServer
permissions (the ability to perform certain operations).
As users are not assigned permissions directly, but acquire them through their assigned role, management of
individual user permissions becomes a matter of simply assigning the user to the appropriate role; this simplifies
common operations. XenServer maintains a list of authorized users and their roles.
RBAC allows you to easily restrict which operations different groups of users can perform- thus reducing the
probability of an accident by an inexperienced user.
To facilitate compliance and auditing, RBAC also provides an Audit Log feature and its corresponding Workload
Balancing Pool Audit Trail report.