How to Modify Default Role Based Access Control Permissions for XenServer

Document ID: CTX126442 / Created On: 25/08/2010 / Updated On: 05/09/2013

Summary

This document explains how to modify and extend RBAC (Role Based Access Control) pre-established roles in XenServer 5.6 and later editions. XenServer 5.6 introduced RBAC

pre-established roles. In certain scenarios, a Pool Administrator might wish to grant specific privileges to a role without changing the users’ role level.

Requirements

Pool Administrator or root access to XenServer host using the Command Line Interface (CLI)

Pool Administrator or root access to XenServer host using XenCenter

Pool Administrator or root access to XenCenter

Considerations

Before extending RBAC permissions, it is important to understand the roles available, the permissions each role has and what operations these permissions allow.

Procedure

Roles

XenServer is shipped with the following pre-established roles:

Pool Admin – the same as being the local root. Can perform all operations. Note: The local super user (root) will always have the "Pool Admin" role. The Pool Admin role

has the same permissions as the local root.

Pool Operator – can do everything apart from adding/removing users and modifying their roles. This role is focused mainly on host and pool management (creating storage,

making pools, managing the hosts, and so on)

VM Power Admin – creates and manages virtual machines. This role is focused on provisioning virtual machines for use by a virtual machine operator.

VM Admin – similar to a VM Power Admin, but cannot migrate virtual machines or perform snapshots.

VM Operator – similar to VM Admin, but cannot create or destroy virtual machines – but can perform start and stop lifecycle operations.

Read Only – can view resource pool and performance data.

Permissions

Listed below are the permissions for each role:

Role permissions Pool Admin Pool Operator VM Power Admin VM Admin VM Operator Read Only

Assign/modify roles X

Log in to (physical) server consoles (through SSH and XenCenter) X

Server backup/restore X

Log out active user connections X X

Create and dismiss alerts X X

Cancel task of any user X X

Pool management X X

VM advanced operations X X X

VM create/destroy operations X X X X

VM change CD media X X X X X

View VM consoles X X X X X

XenCenter view mgmt ops X X X X X

Cancel own tasks X X X X X X

Read audit logs X X X X X X

Configure, Initialize, Enable, Disable WLB X X

Apply WLB Optimization Recommendations X X

Modify WLB Report Subscriptions X X

Accept WLB Placement Recommendations X X X

Display WLB Configuration X X X X X X

Generate WLB Reports X X X X X X

Display WLB Reports X X X X X X

Connect to pool and read all pool metadata X X X X X X

Operations Allowed

The following set of permissions allows the corresponding operations:

Permission Allows

Assign/modify roles Add/remove subjects

Add/remove roles from subjects

Enable/disable Active Directory

Login to host consoles Host console access using ssh

Host console access using XenCenter

Host backup/restore Host backup/restore

Pool metadata backup/restore

Logout active user connections Ability to kick out logged in users

Create/dismiss alerts

Cancel task of any user Request cancellation of any running task

Pool management Pool set properties (name-label, default SRs)

Enable/disable/configure HA

Set per-VM HA restart priorities

Enable/disable/configure WLB

Add/remove host from pool

Emergency transition to master

Emergency master address

Emergency recover slaves

Designate new master

Certificate management (host and pool)

Patching

Host set properties

Host configure logging

Host enable/disable

Host shutdown/reboot/power-on

Host create bugtool/get_system_status

Apply license

Host evacuate

Host configure management interface

Host management disable

Crashdump delete

Network add/remove/edit properties

PIF/VLAN/Bond add/remove/edit

SR/PBD add/remove/edit

Secret add/remove/retrieve

VM advanced operations VM memory adjust (ballooning)

VM checkpoint/snapshot/rollback

VM migrate

VM.start_on

VM.resume_on

VM create/destroy operations VM install/uninstall

VM clone

VM add/remove/configure virtual disk/CD devices

VM add/remove/configure virtual network devices

VM import/export

VM configuration change

VM change CD media Eject current CD

Insert new CD

VM change power state VM start

Clean_shutdown

Hard_shutdown

Clean_reboot

Hard_reboot

Suspend

Resume

View VM consoles See and interact with VM consoles

XenCenter view mgmt operations Create/modify global XenCenter folders

Create/modify global XenCenter custom fields

Create/modify global XenCenter searches

Cancel own tasks Request the cancellation of a user's own tasks

Read audit log Download the XenServer audit log

Connect to pool and read all pool metadata Login to pool

View pool metadata

View historical performance data

View logged in users

View subjects and roles

View tasks

View messages

Register for and receive events

Read WLB reports

Preparing to Extend Permissions

Go to XenCenter and Select the Users tab.1.

Verify that the XenServer host or pool has been successfully added to the domain.2.

From the workstation that XenCenter console is installed, you will have to create the following registry entry:3.

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XenCenter"

String Value = DontSudo

Value = True

If you decide to create a registry script, the contents of the script need to have the exact details listed below:4.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\XenCenter]

"InstallDir"="C:\\Program Files\\Citrix\\XenCenter\\"

"DontSudo"="True"

Download from above a registry script created for your convenience.5.

Caution! This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix

cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Back up the registry before you edit it.

If the registry key is not applied and a user attempts to complete an action for an assigned permission, they receive the following screen:6.

After applying the registry changes, go to XenCenter and Select the Users tab.

Note the Subject and Role that you want to modify (see example below).

7.

Go to the Command Line Interface (CLI) or open up an ssh session to the XenServer host.

Use the following command to find and filter by role:

#xe-subject-list roles=<Subject Role>

8.

Roles available to modify are:

• pool-admin

• pool-operator

• vm-power-admin

• vm-admin

• vm-operator

• read-only

See example below:

# xe subject-list roles=vm-operator

uuid ( RO) : 3f230ef4-df11-3476-585a-31578dd599ce

subject-identifier ( RO): S-1-5-21-3218303669-2594918284-589783900-1110

other-config (MRO): subject-name: DOMAIN\user5; subject-upn: User5@DOMAIN.CITRIX.CTX; subject-uid: 8389718; subject-gid: 8389121; subject-sid:

S-1-5-21-3218303669-2594918284-589783900-1110; subject-gecos: User5; subject-displayname: User5; subject-is-group: false; subject-account-disabled: false; subject-account-

expired: false; subject-account-locked: false; subject-password-expired: false

roles (SRO): vm-operator

Example:

Find and make a note of the subject UUID of the subject whose role permission will be modified.

Use the following command to add the specific permissions:

#xe-subject-role-add uuid=<Subject UUID> role-name=<Role Permission>

9.

Adding Permissions

Note: For a complete list of permissions, operations allowed, and roles they can be applied to, go to CTX126441 - Available Role Based Access Control Permissions for XenServer. An

“X” indicates that the permission listed has already been assigned to that role.

Below is a small list of the most popular permissions used:

PERMISSION pool-admin pool-operator vm-power-admin vm-admin vm-operator read-only

vm.pool_migrate X X X

vm.hard_reboot X X X X X

vm.power_state_reset X X

vm.hard_shutdown X X X X X

vm.clean_reboot X X X X X

vm.clean_shutdown X X X X X

vm.unpause X X X X X

vm.pause X X X X X

vm.start_on X X X

host.reboot X X

host.shutdown X X

host.enable X X

host.disable X X

host.remove_from_license_server X X

host.add_to_license_server X X

host.set_license_server X X

For example, to add XenMotion rights to a VM operator, use the following syntax:

xe subject-role-add uuid=<subject UUID> role-name=vm.pool_migrate

Example:

Verifying Permissions

To verify the permissions assign to a user, run the following command:

xe subject-list uuid=<subject UUID>

ExampleI

[root@ftlchristophxs56a ~]# xe subject-list uuid=3f230ef4-df11-3476-585a-31578dd599ce

uuid ( RO) : 3f230ef4-df11-3476-585a-31578dd599ce

subject-identifier ( RO): S-1-5-21-3218303669-2594918284-589783900-1110

other-config (MRO): subject-name: DOMAIN\user5; subject-upn: User5@DOMAIN.CITRIX.CTX; subject-uid: 8389718; subject-gid: 8389121; subject-sid:

S-1-5-21-3218303669-2594918284-589783900-1110; subject-gecos: User5; subject-displayname: User5; subject-is-group: false; subject-account-disabled: false; subject-account-

expired: false; subject-account-locked: false; subject-password-expired: false

roles (SRO): http/post_root; vm.pool_migrate; vm-operator

Removing Permissions

To remove the permissions added, use the following command:

#xe subject-role-remove uuid=<subject UUID> role-name=vm.pool_migrate

Example:

Note: If the permissions were not properly applied, you should receive the following error if you try to complete the operation requested.

Changing Role for Subjects with Extended Permissions

After extending the permissions for a role using the CLI, you can no longer modify it using XenCenter. Trying to change the role using XenCenter results in the following error:

Remove all permissions added to a Subject before changing the role.

Tip: To change a role without going to the CLI, remove and add the User and then apply the new role.

More Information

XenServer 5.6 Role Based Access Control

©1999-2013 Citrix Systems, Inc. All rights reserved.

CTX126441 - Available Role Based Access Control Permissions for XenServer

This document applies to:

XenServer 5.6

XenServer 5.6 Common Criteria

XenServer 5.6 FP 1

XenServer 5.6 SP 2

XenServer 6.0

XenServer 6.1.0

XenServer 6.2.0