20
1. Run the commands:
xe subject-role-remove uuid=<subject uuid> role-name= \
<role_name_to_remove>
xe subject-role-add uuid=<subject uuid > role-name= \
<role_name_to_add>
To ensure that the new role takes effect, the user should be logged out and logged back in again (this requires
the "Logout Active User Connections" permission - available to a Pool Administrator or Pool Operator).
Warning:
Once you have added or removed a pool-admin subject, there can be a delay of a few seconds
for ssh sessions associated to this subject to be accepted by all hosts of the pool.
Auditing
The RBAC audit log will record any operation taken by a logged-in user.
• the message will explicitly record the Subject ID and user name associated with the session that invoked the
operation.
• if an operation is invoked for which the subject does not have authorization, this will be logged.
• if the operation succeeded then this is recorded; if the operation failed then the error code is logged.
Audit Log xe CLI Commands
xe audit-log-get [since=<timestamp>] filename=<output filename>
This command downloads to a file all the available records of the RBAC audit file in the pool. If the optional
parameter 'since' is present, then it only downloads the records from that specific point in time.
To Obtain All Audit Records From the Pool
Run the following command:
xe audit-log-get filename=/tmp/auditlog-pool-actions.out
To Obtain Audit Records of the Pool Since a Precise Millisecond Timestamp
Run the following command:
xe audit-log-get since=2009-09-24T17:56:20.530Z \
filename=/tmp/auditlog-pool-actions.out
To Obtain Audit Records of the Pool Since a Precise Minute Timestamp
Run the following command:
xe audit-log-get since=2009-09-24T17:56Z \
filename=/tmp/auditlog-pool-actions.out
How Does XenServer Compute the Roles for the Session?
1. The subject is authenticated via the Active Directory server to verify which containing groups the subject may
also belong to.
2. XenServer then verifies which roles have been assigned both to the subject, and to its containing groups.
3. As subjects can be members of multiple Active Directory groups, they will inherit all of the permissions of the
associated roles.