RBAC roles and permissions
Roles
Citrix Hypervisor is shipped with the following six, pre-established roles:
Pool Administrator(Pool Admin) – the same as the local root. Can perform all operations.
Note:
The local super user (root) has the “Pool Admin” role. The Pool Admin role has the same permissions as the local root.
If you remove the Pool Admin role from a user, consider also changing the server root password and rotating the pool secret. For more information, seePool Security.
Pool Operator(Pool Operator) – can do everything apart from adding/removing users and changing their roles. This role is focused mainly on host and pool management (that is, creating storage, making pools, managing the hosts and so on.)
Virtual Machine Power Administrator(VM Power Admin) – creates and manages Virtual Machines. This role is focused on provisioning VMs for use by a VM operator.
Virtual Machine Administrator(VM Admin) – similar to a VM Power Admin, but cannot migrate VMs or perform snapshots.
Virtual Machine Operator(VM Operator) – similar to VM Admin, but cannot create/destroy VMs – but can perform start/stop lifecycle operations.
Read-only(Read Only) – can view resource pool and performance data.
Warning:
When using Active Directory groups to grant access for Pool Administrator users who require host ssh access, the number of users in the Active Directory group must not exceed 500.
For a summary of the permissions available for each role and for information on the operations available for each permission, seeDefinitions of RBAC roles and permissionsin the following section.
When you create a user in Citrix Hypervisor, you must first assign a role to the newly created user before they can use the account. Citrix Hypervisordoes notautomatically assign a role to the newly created user. As a result, these accounts do not have any access to Citrix Hypervisor pool until you assign them a role.
Modify the subject to role mapping. This requires the assign/modify role permission, only available to a Pool Administrator.
Modify the user’s containing group membership in Active Directory.
Definitions of RBAC roles and permissions
The following table summarizes which permissions are available for each role. For details on the operations available for each permission, seeDefinitions of permissions.
| Role permissions | Pool Admin | Pool Operator | VM Power Admin | VM Admin | VM Operator | Read Only |
|---|---|---|---|---|---|---|
| Assign/modify roles | X | |||||
| Log in to (physical) server consoles (through SSH and XenCenter) | X | |||||
| 年代erver backup/restore | X | |||||
| Import/export OVF/OVA packages and disk images | X | |||||
| 年代et cores per socket | X | X | X | X | ||
| Convert virtual machines using Citrix Hypervisor Conversion Manager | X | |||||
| 年代witch-port locking | X | X | ||||
| 多路径 | X | X | ||||
| Log out active user connections | X | X | ||||
| Create and dismiss alerts | X | X | ||||
| Cancel task of any user | X | X | ||||
| Pool management | X | X | ||||
| Live migration | X | X | X | |||
| 年代torage live migration | X | X | X | |||
| VM advanced operations | X | X | X | |||
| VM create/destroy operations | X | X | X | X | ||
| VM change CD media | X | X | X | X | X | |
| VM change power state | X | X | X | X | X | |
| View VM consoles | X | X | X | X | X | |
| XenCenter view management operations | X | X | X | X | X | |
| Cancel own tasks | X | X | X | X | X | X |
| Read audit logs | X | X | X | X | X | X |
| Connect to pool and read all pool metadata | X | X | X | X | X | X |
| Configure virtual GPU | X | X | ||||
| View virtual GPU configuration | X | X | X | X | X | X |
| Access the config drive (CoreOS VMs only) | X | |||||
| 年代cheduled Snapshots (Add/Remove VMs to existing Snapshots Schedules) | X | X | X | |||
| 年代cheduled Snapshots (Add/Modify/Delete Snapshot Schedules) | X | X | ||||
| Gather diagnostic information | X | X | ||||
| Configure changed block tracking | X | X | X | X | ||
| List changed blocks | X | X | X | X | X | |
| Configure PVS-Accelerator | X | X | ||||
| View PVS-Accelerator configuration | X | X | X | X | X | X |
Definitions of permissions
Assign/modify roles:
- Add/remove users
- Add/remove roles from users
- Enable and disable Active Directory integration (being joined to the domain)
This permission lets the user grant themselves any permission or perform any task.
Warning: This role lets the user disable the Active Directory integration and all subjects added from Active Directory.
Log in to server consoles:
- 年代erver console access through ssh
- 年代erver console access through XenCenter
Warning: With access to a root shell, the assignee can arbitrarily reconfigure the entire system, including RBAC.
年代erver backup/restore VM create/destroy operations:
- Back up and restore servers
- Back up and restore pool metadata
The capability to restore a backup lets the assignee revert RBAC configuration changes.
Import/export OVF/OVA packages and disk images:
- Import OVF and OVA packages
- Import disk images
- 出口vm OVF /卵包
年代et cores-per-socket:
- 年代et the number of cores per socket for the VM’s virtual CPUs
This permission enables the user to specify the topology for the VM’s virtual CPUs.
Convert VMs using Citrix Hypervisor Conversion Manager:
- Convert VMware VMs to Citrix Hypervisor VMs
This permission lets the user convert workloads from VMware to Citrix Hypervisor by copying batches of VMware VMs to Citrix Hypervisor environment.
年代witch-port locking:
- Control traffic on a network
This permission lets the user block all traffic on a network by default, or define specific IP addresses from which a VM is allowed to send traffic.
多路径:
- Enable multipathing
- Disable multipathing
Log out active user connections:
- Ability to disconnect logged in users
Create/dismiss alerts:
- Configure XenCenter to generate alerts when resource usage crosses certain thresholds
- Remove alerts from the Alerts view
Warning: A user with this permission can dismiss alerts for the entire pool.
Note: The ability to view alerts is part of the Connect to Pool and read all pool metadata permission.
Cancel task of any user:
- Cancel any user’s running task
This permission lets the user request Citrix Hypervisor cancel an in-progress task initiated by any user.
Pool management:
- 年代et pool properties (naming, default SRs)
- Create a clustered pool
- 启用、禁用和配置高可用性
- 年代et per-VM high availability restart priorities
- Configure DR and perform DR failover, failback, and test failover operations
- Enable, disable, and configure Workload Balancing (WLB)
- Add and remove server from pool
- Emergency transition to master
- Emergency master address
- Emergency recover pool members
- Designate new master
- Manage pool and server certificates
- Patching
- 年代et server properties
- Configure server logging
- Enable and disable servers
- 年代hut down, reboot, and power-on servers
- Restart toolstack
- 年代ystem status reports
- Apply license
- Live migration of all other VMs on a server to another server, because of maintenance mode, or high availability
- Configure server management interface and secondary interfaces
- Disable server management
- Delete crashdumps
- Add, edit, and remove networks
- Add, edit, and remove PBDs/PIFs/VLANs/Bonds/SRs
- Add, remove, and retrieve secrets
This permission includes all the actions required to maintain a pool.
Note: If the management interface is not functioning, no logins can authenticate except local root logins.
Live migration:
- Migrate VMs from one host to another host when the VMs are on storage shared by both hosts
年代torage live migration:
- Migrate from one host to another host when the VMs are not on storage shared between the two hosts
- Move Virtual Disk (VDIs) from one SR to another SR
VM advanced operations:
- Adjust VM memory (through Dynamic Memory Control)
- 创建一个虚拟机年代napshot with memory, take VM snapshots, and roll-back VMs
- Migrate VMs
- 年代tart VMs, including specifying physical server
- Resume VMs
This permission provides the assignee with enough privileges to start a VM on a different server if they are not satisfied with the server Citrix Hypervisor selected.
VM create/destroy operations:
- Install or delete
- Clone/copy VMs
- Add, remove, and configure virtual disk/CD devices
- Add, remove, and configure virtual network devices
- Import/export XVA files
- VM configuration change
- 年代erver backup/restore
Note:
The VM Admin role can import XVA files only into a pool with a shared SR. The VM Admin role has insufficient permissions to import an XVA file into a host or into a pool without shared storage.
VM change CD media:
- Eject current CD
- Insert new CD
Import/export OVF/OVA packages; import disk images
VM change power state:
- 年代tart VMs (automatic placement)
- 年代hut down VMs
- Reboot VMs
- 年代uspend VMs
- Resume VMs (automatic placement)
This permission does not include start_on, resume_on, and migrate, which are part of the VM advanced operations permission.
View VM consoles:
- 年代ee and interact with VM consoles
This permission does not let the user view server consoles.
XenCenter view management operations:
- Create and modify global XenCenter folders
- Create and modify global XenCenter custom fields
- Create and modify global XenCenter searches
Folders, custom fields, and searches are shared between all users accessing the pool
Cancel own tasks:
- Lets a user cancel their own tasks
Read audit log:
- 下载Citrix程序审计日志
Connect to pool and read all pool metadata:
- Log in to pool
- View pool metadata
- View historical performance data
- View logged in users
- View users and roles
- View messages
- Register for and receive events
Configure virtual GPU:
- 年代pecify a pool-wide placement policy
- Assign a virtual GPU to a VM
- Remove a virtual GPU from a VM
- Modify allowed virtual GPU types
- Create, destroy, or assign a GPU group
View virtual GPU configuration:
- View GPUs, GPU placement policies, and virtual GPU assignments
Access the config drive (CoreOS VMs only):
- Access the config driver of the VM
年代cheduled Snapshots:
- Add VMs to existing snapshot schedules
- Remove VMs from existing snapshot schedules
- Add snapshot schedules
- Modify snapshot schedules
- Delete snapshot schedules
Gather diagnostic information from Citrix Hypervisor:
- Initiate GC collection and heap compaction
- Gather garbage collection statistics
- 收集数据库statistics
- Gather network statistics
Configure changed block tracking:
- Enable changed block tracking
- Disable changed block tracking
- Destroy the data associated with a snapshot and retain the metadata
- Get the NBD connection information for a VDI
Changed block tracking can be enabled only for licensed instances of Citrix Hypervisor Premium Edition.
List changed blocks:
- Compare two VDI snapshots and list the blocks that have changed between them
Configure PVS-Accelerator:
- Enable PVS-Accelerator
- Disable PVS-Accelerator
- Update (PVS-Accelerator) cache configuration
- Add/Remove (PVS-Accelerator) cache configuration
View PVS-Accelerator configuration:
- View the status of PVS-Accelerator
Note:
年代ometimes, a Read Only user cannot move a resource into a folder in XenCenter, even after receiving an elevation prompt and supplying the credentials of a more privileged user. In this case, log on to XenCenter as the more privileged user and retry the action.
How does Citrix Hypervisor compute the roles for the session?
The subject is authenticated through the Active Directory server to verify which containing groups the subject may also belong to.
Citrix Hypervisor then verifies which roles have been assigned both to the subject, and to its containing groups.
As subjects can be members of multiple Active Directory groups, they inherit all of the permissions of the associated roles.
