12
Note:
You cannot add, remove or modify roles in this version of XenServer.
Warning:
You can not assign the role of pool-admin to an AD group which has more than 500 members,
if you want users of the AD group to have SSH access.
For a summary of the permissions available for each role and more detailed information on the operations
available for each permission, see the section called “Definitions of RBAC Roles and Permissions”.
All XenServer users need to be allocated to an appropriate role. By default, all new users will be allocated to the
Pool Administrator role. It is possible for a user to be assigned to multiple roles; in that scenario, the user will
have the union of all the permissions of all their assigned roles.
A user's role can be changed in two ways:
1. Modify the subject -> role mapping (this requires the assign/modify role permission, only available to a Pool
Administrator.)
2. Modify the user's containing group membership in Active Directory.
Definitions of RBAC Roles and Permissions
The following table summarizes which permissions are available for each role. For details on the operations
available for each permission, see Definitions of permissions.
Table 1. Permissions available for each role
Role
permissions
Pool Admin Pool
Operator
VM Power
Admin
VM Admin VM Operator Read Only
Assign/
modify roles
X
Log in to
(physical)
server
consoles
(through SSH
and
XenCenter)
X
Server
backup/
restore
X
Import/
export OVF/
OVA
packages and
disk images
X
Log out
active user
connections
X X
Create and
dismiss alerts
X X