5
Managing Users
Defining users, groups, roles and permissions allows you to control who has access to your XenServer hosts and
pools and what actions they can perform.
When you first install XenServer, a user account is added to XenServer automatically. This account is the local
super user (LSU), or root, which is authenticated locally by the XenServer computer.
The local super user (LSU), or root, is a special user account used for system administration and has all rights or
permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated
by XenServer and not an external authentication service. This means that if the external authentication service
fails, the LSU can still log in and manage the system. The LSU can always access the XenServer physical server
through SSH.
You can create additional users by adding their Active Directory accounts through either the XenCenter's Users
tab or the CLI. All editions of XenServer can add user accounts from Active Directory. However, only XenServer
Enterprise and Platinum editions let you assign these Active Directory accounts different levels of permissions
(through the Role Based Access Control (RBAC) feature). If you do not use Active Directory in your environment,
you are limited to the LSU account.
The permissions assigned to users when you first add their accounts varies according to your version of XenServer:
• In the XenServer and XenServer Advanced edition, when you create (add) new users, XenServer automatically
grants the accounts access to all features available in that version.
• In the XenServer Enterprise and Platinum editions, when you create new users, XenServer does not assign
newly created user accounts roles automatically. As a result, these accounts do not have any access to the
XenServer pool until you assign them a role.
If you do not have one of these editions, you can add users from Active Directory. However, all users will have
the Pool Administrator role.
These permissions are granted through roles, as discussed in the section called “Authenticating Users With Active
Directory (AD)”.
Authenticating Users With Active Directory (AD)
If you want to have multiple user accounts on a server or a pool, you must use Active Directory user accounts for
authentication. This lets XenServer users log in to a pool's XenServers using their Windows domain credentials.
The only way you can configure varying levels of access for specific users is by enabling Active Directory
authentication, adding user accounts, and assign roles to those accounts.
Active Directory users can use the xe CLI (passing appropriate -u and -pw arguments) and also connect to the
host using XenCenter. Authentication is done on a per-resource pool basis.
Access is controlled by the use of subjects. A subject in XenServer maps to an entity on your directory server
(either a user or a group). When external authentication is enabled, the credentials used to create a session are
first checked against the local root credentials (in case your directory server is unavailable) and then against the
subject list. To permit access, you must create a subject entry for the person or group you wish to grant access
to. This can be done using XenCenter or the xe CLI.
If you are familiar with XenCenter, note that the XenServer CLI uses slightly different terminology to refer to Active
Directory and user account features:
XenCenter Term XenServer CLI Term
Users Subjects
Add users Add subjects