Definitions of Rbac Roles and Permissions | Citrix Systems 6

Note:

You cannot add, remove or modify roles in this version of XenServer.

Warning:

You can not assign the role of pool-adminto an AD group which has more than 500 members, if you want users of the AD group to have SSH access.

For a summary of the permissions available for each role and more detailed information on the operations available for each permission, see the section called “Definitions of RBAC Roles and Permissions”.

All XenServer users need to be allocated to an appropriate role. By default, all new users will be allocated to the Pool Administrator role. It is possible for a user to be assigned to multiple roles; in that scenario, the user will have the union of all the permissions of all their assigned roles.

A user's role can be changed in two ways:

1.Modify the subject -> role mapping (this requires the assign/modify role permission, only available to a Pool Administrator.)

2.Modify the user's containing group membership in Active Directory.

Definitions of RBAC Roles and Permissions

The following table summarizes which permissions are available for each role. For details on the operations available for each permission, see Definitions of permissions.

Table 1. Permissions available for each role

Role		Pool Admin	Pool	VM Power	VM Admin	VM Operator	Read Only
permissions			Operator	Admin

Assign/		X
modify roles

Log in	to	X
(physical)
server
consoles
(through SSH
and
XenCenter)

Server		X
backup/
restore

Import/		X
export	OVF/
OVA
packages and
disk images

Log	out	X	X
active	user
connections

Create	and	X	X
dismiss alerts

12

Image 30

Citrix Systems 6 manual Definitions of Rbac Roles and Permissions, Users role can be changed in two ways

Contents

Citrix XenServer 6.0 Administrators Guide Trademarks Contents Storage ISO Configuring VM Memory Xen Memory Usage Disaster Recovery and Backup Monitoring and Managing XenServer 106 110 Page Host-bugreport-upload 129 Xiii Xiv Page Vm-compute-maximum-memory Workload Balancing Service Commands 186 Xviii Using XenServer increases flexibility by Benefits of Using XenServerUsing XenServer reduces costs by Introducing XenServer New Features in XenServer Administering XenServerXenServer Editions Simplified Installer Rolling Pool Upgrade WizardDistributed Virtual Switch Improvements Microsoft Scvmm and Scom Support NFS Support for High Availability VM Protection and RecoveryXenServer Documentation XenCenter Improvements Authenticating Users With Active Directory AD XenCenter TermXenServer CLI Term Configuring Active Directory Authentication Upgrading XenServer Active Directory integration Port Protocol Use User Authentication Enabling external authentication on a poolDisabling external authentication Removing access for a user using the CLI Removing Access for a UserAllowing a user access to XenServer using the CLI Listing subjects with access Terminating individual user sessions using xe Role Based Access ControlTerminating all authenticated sessions using xe Leaving an AD Domain Roles Rbac process Definitions of Rbac Roles and Permissions Users role can be changed in two waysPermissions available for each role WLB Definitions of permissions Permission Allows Assignee To Rationale/Comments Permission Allows Assignee To Rationale/Comments Report Generated or its recipient Using Rbac with the CLI To List All the Available Defined Roles in XenServer To Display a List of Current Subjects To Assign an Rbac Role to a Created subject Run the command xe subject-add subject-name=AD user/groupTo Add a Subject to Rbac To Change a Subjects Rbac Role How Does XenServer Compute the Roles for the Session? Audit Log xe CLI CommandsAuditing To Obtain All Audit Records From the PoolPage Hosts and Resource Pools Overview Requirements for Creating Resource Pools Creating a Resource Pool Creating Heterogeneous Resource PoolsNaming a resource pool Adding NFS shared storage to a resource pool using the CLI Adding Shared Storage Preparing a Pool of XenServer Hosts for Maintenance To remove a host from a resource pool using the CLIRemoving a XenServer Host from a Resource Pool High Availability HA OverviewOvercommitting Configuration Requirements Overcommitment WarningHost Fencing Restart Priorities HA Restart Priority Restart ExplanationHA Always Run Explanation Enabling HA Using the CLI Removing HA Protection from a VM using the CLIEnabling HA on a XenServer Pool Shutting Down a host When HA is Enabled Host Power OnRecovering an Unreachable Host Shutting Down a VM When it is Protected by HA Using the CLI to Manage Host Power On To Enable Host Power On Using the CLITo Turn on Hosts Remotely Using the CLI Key/Value Pairs Sample Script Result is only displayed when the script is unsuccessful Virtual Disk Images VDIs Storage OverviewStorage Repositories SRs Physical Block Devices PBDs Virtual Disk Data Formats Virtual Block Devices VBDsSummary of Storage objects VHD-based VDIs LUN-based VDIs VHD Chain Coalescing Storage Repository Types Local LVMStorage type Maximum VDI size Creating a Local LVM SR lvm Local EXT3 VHDUdev Creating a Local EXT3 SR ext XenServer Host iSCSI configuration Software iSCSI SupportCitrix StorageLink SRs Upgrading XenServer with StorageLink SRs Creating a Shared StorageLink SR To Create a CSL SR Using XenCenter Parameter name Description Optional? To Create a CSL SR Using the CLI Page Sample QLogic iSCSI HBA setup Managing Hardware Host Bus Adapters HBAs LVM over iSCSI Removing HBA-based SAS, FC or iSCSI Device EntriesParameter Name Description Parameter Name Description Hitachi NFS VHD Creating Storage Repositories Storage ConfigurationLVM over Hardware HBA Creating a Shared NFS SR NFS Upgrading LVM Storage from XenServer 5.0 or Earlier LVM Performance ConsiderationsVDI Types Creating a Raw Virtual Disk Using the xe CLI Converting Between VDI FormatsProbing an SR Following parameters can be probed for each SR type Page To enable storage multipathing using the xe CLI Storage Multipathing Destroying or Forgetting a SR Managing Storage RepositoriesMPP Rdac Driver Support for LSI Arrays Introducing an SR Resizing an SR Converting Local Fibre Channel SRs to Shared SRs Copying All of a VMs VDIs to a Different SR Adjusting the Disk IO SchedulerMoving Virtual Disk Images VDIs Between SRs Copying Individual VDIs to a Different SR Automatically Reclaiming Space When Deleting Snapshots Reclaiming Space Using the Off Line Coalesce Tool Virtual Disk QoS Settings Possible values of qosalgorithmparamsched arePage What is Dynamic Memory Control DMC? Concept of Dynamic Range Concept of Static Range DMC BehaviourHow Does DMC Work? Memory Constraints Supported Operating SystemsOperating System Supported Memory Limits Xe CLI Commands Display the Static Memory Properties of a VM Display the Dynamic Memory Properties of a VM Updating Memory Properties Upgrade Issues Update Individual Memory PropertiesWorkload Balancing Interaction Setting Control Domain Memory Name Default Description Name Default Description VSwitch Networks Networking Support XenServer Networking Overview Network Objects Networks VLANsNIC Bonds Page Switch Configuration Active-Active Bonding Active-Passive Bonding Managing Networking Configuration Initial Networking ConfigurationCross-Server Private networks Creating Networks in a Standalone Server Creating Networks in Resource Pools To add a new network using the CLITo connect a network to an external Vlan using the CLI Creating VLANs Creating a NIC bond Bonding two NICsControlling the MAC Address of the Bond Creating NIC bonds in resource pools Reverting NIC bondsAdding NIC bonds to new resource pools Configuring a dedicated storage NIC To assign NIC functions using the xe CLIAdding NIC bonds to an existing pool Using SR-IOV Enabled NICs Controlling the rate of outgoing data QoSAssigning a SR-IOV NIC VF to a VM Changing networking configuration options Networking Stack Configuration Methods Available Hostname Changing IP address configuration for a standalone hostChanging IP address configuration in resource pools DNS servers Primary management interface Networking TroubleshootingDisabling management access Adding a new physical NIC Recovering from a bad network configuration Diagnosing network corruption Disaster Recovery and Backup Understanding XenServer DR DR Infrastructure Requirements Deployment Considerations Enabling Disaster Recovery in XenCenterSteps to Take After a Recovery Steps to Take Before a Disaster Recovering VMs and vApps in the Event of Disaster Failover Recovery Wizard Test Failover VApps Creating vApps Using the Manage vApps dialog box in XenCenterBacking Up and Restoring XenServer Hosts and VMs Value Description To backup a VM To backup pool metadataTo backup host configuration and software To backup VM metadata only Backing up single host installations Backing up pooled installationsBacking up XenServer hosts To back up a XenServer host To restore a running XenServer hostBacking up VMs Restarting a crashed XenServer host Quiesced Snapshots VM SnapshotsRegular Snapshots Snapshots with memory Creating a snapshot with memory To list all of the snapshots on a XenServer poolTo list the snapshots on a particular VM Restoring a VM to its previous state Deleting a snapshot Snapshot Templates Creating a template from a snapshotExporting a snapshot to a template Advanced Notes for Quiesced Snapshots VM Protection and Recovery Coping with machine failuresNaming convention for VM archive folders Opt/xensource/sm/resetvdis.py hostUUID Sruuid master Member failuresMaster failures Coping with Failure due to Configuration Errors Pool failuresPhysical Machine failure To restore a pool with all hosts failed To restore a VM when VM storage is not available Alerts Alert Description Customizing Alerts Valid VM Elements Configuring Email Alerts Valid Host Elements Determining throughput of physical bus adapters Custom Fields and TagsCustom Searches To determine PBD throughput XenServer host logs Sending host log messages to a central serverTo write logs to a remote server XenCenter logs Userprofile%\AppData\Citrix\XenCenter\logs\XenCenter.log Xe command-name argument=value argument=value Basic xe Syntax Command Types Special Characters and SyntaxClass-list Parameter Types Low-level Parameter Commands Low-level List CommandsClass-param-list uuid=uuid Appliance-assert-can-be-recovered Xe Command ReferenceAppliance Commands Appliance Parameters Audit Commands Bonding Commands CD Commands Cd-list Cd-listparams=param1,param2,... parameter=parametervalue Console Parameters Console CommandsDisaster Recovery DR Commands Drtask-create Sr-enable-database-replication Vm-assert-can-be-recoveredVm-recover Sr-disable-database-replication Event Commands Event ClassesClass name Description GPU Commands Event-wait GPU Group Parameters Vgpu-destroy Host CommandsVgpu-create Host Selectors Host Parameters Syslogdestination Yyyymmdd-hhmmss-ABC, where ABC is Host-bugreport-upload Host-backupHost-disable Host-crashdump-destroy Host-evacuate Host-emergency-management-reconfigureHost-enable Host-forget Host-get-system-status-capabilities Attribute Description Host-apply-edition Host-management-disableHost-is-in-emergency-mode Host-license-add Host-get-cpu-features Host-management-reconfigureHost-power-on Host-set-cpu-features Host-set-hostname-live Host-restoreHost-syslog-reconfigure Host-shutdown Host-data-source-forget Host-data-source-listHost-data-source-record Host-data-source-query Log-set-output Log CommandsMessage Commands Message Parameters Message-list Network CommandsMessage-destroy Network Parameters Network-destroy Patch Update CommandsNetwork-create Patch Parameters PBD Commands Pbd-destroy PIF CommandsPbd-create Pbd-plug PIF Parameters MAC Full or half Pif-introduce Pif-reconfigure-ipPif-forget Pif-plug Pif-unplug Pool CommandsPif-scan Pool Parameters Pool-designate-new-master Pool-dump-database Pool-ha-disable Pool-emergency-reset-masterPool-ha-enable Pool-recover-slaves SM Parameters Storage Manager CommandsSR Commands SR Parameters Sr-create User Sr-introduce Sr-destroySr-forget Sr-probe Task Commands Task Parameters Task-cancel uuid=taskuuid Template CommandsTask-cancel Template Parameters For memory-dynamic-max Uuid=templateuuid \ Order or an Order Not YyyymmddThhmmss As not in database for Update Commands Template-export Update-upload User CommandsVBD Commands User-password-change Vbd-create Vbd-createvm-uuid=uuidofthevmdevice=devicevalue VDI Commands VDI Parameters VDI Vdi-create Vdi-cloneVdi-copy Local/domain/0/backend Vdi-import Vdi-destroyVdi-forget Vdi-introduce Vdi-unlock VIF CommandsVdi-snapshot VIF Parameters Disable 165 Vif-destroy Vlan CommandsVif-create Vif-plug VM Commands Parameter Name Description Type Uuid=vmuuid \ Order Value pair autopoweron true Vcpu-hotplug command Domain/domid/vm Vm-cd-insert Vm-cd-addVm-cd-eject Vm-cd-list Vm-copy Vm-cloneVm-compute-maximum-memory Vm-crashdump-list Vm-data-source-forget Vm-data-source-listVm-data-source-record Vm-data-source-query Vm-disk-list Vm-destroyVm-disk-add Vm-disk-remove Vm-install Vm-import Vm-memory-shadow-multiplier-set Vm-rebootVm-reset-powerstate Vm-migrate Vm-start Vm-resumeVm-shutdown Vm-suspend Workload Balancing XE Commands Host-retrieve-wlb-evacuate-recommendations Pool-retrieve-wlb-diagnosticsPool-certificate-install Vm-retrieve-wlb-recommendations Pool-retrieve-wlb-recommendations Pool-deconfigure-wlbPool-retrieve-wlb-configuration Pool-retrieve-wlb-report Pool-send-wlb-configuration 185 Service Commands To run the wlbconfig command Modifying the Workload Balancing configuration optionsEditing the Workload Balancing configuration file To edit the wlb.conf file Increasing the Detail in the Workload Balancing Log Logging Trace Flag Benefit or Purpose Option Logging Trace Flag Benefit or Purpose Option