Citrix Hypervisor

RBAC roles and permissions

Roles

Citrix Hypervisor is shipped with the following six, pre-established roles:

  • Pool Administrator (Pool Admin) – the same as the local root. Can perform all operations.

    Note:

    The local super user (root) has the “Pool Admin” role. The Pool Admin role has the same permissions as the local root.

    If you remove the Pool Admin role from a user, consider also changing the server root password and rotating the pool secret. For more information, see Pool Security.

  • Pool Operator (Pool Operator) – can do everything apart from adding/removing users and changing their roles. This role is focused mainly on host and pool management (that is, creating storage, making pools, managing the hosts and so on.)

  • Virtual Machine Power Administrator (VM Power Admin) – creates and manages Virtual Machines. This role is focused on provisioning VMs for use by a VM operator.

  • Virtual Machine Administrator (VM Admin) – similar to a VM Power Admin, but cannot migrate VMs or perform snapshots.

  • Virtual Machine Operator (VM Operator) – similar to VM Admin, but cannot create/destroy VMs – but can perform start/stop lifecycle operations.

  • Read-only (Read Only) – can view resource pool and performance data.

Warning:

When using Active Directory groups to grant access for Pool Administrator users who require host ssh access, the number of users in the Active Directory group must not exceed 500.

For a summary of the permissions available for each role and for information on the operations available for each permission, see Definitions of RBAC roles and permissions in the following section.

When you create a user in Citrix Hypervisor, you must first assign a role to the newly created user before they can use the account. Citrix Hypervisor does not automatically assign a role to the newly created user. As a result, these accounts do not have any access to Citrix Hypervisor pool until you assign them a role.

  1. Modify the subject to role mapping. This requires the assign/modify role permission, only available to a Pool Administrator.

  2. Modify the user’s containing group membership in Active Directory.

Definitions of RBAC roles and permissions

The following table summarizes which permissions are available for each role. For details on the operations available for each permission, see Definitions of permissions.

Role permissions Pool Admin Pool Operator VM Power Admin VM Admin VM Operator Read Only
Assign/modify roles X          
Log in to (physical) server consoles (through SSH and XenCenter) X          
Server backup/restore X          
Import OVF/OVA packages; import disk images X          
Import XVA packages X X X      
Export OVF/OVA packages X          
Export XVA packages X X X      
Set cores per socket X X X X    
Convert VMs using Conversion Manager X          
Switch-port locking X X        
Multipathing X X        
Log out active user connections X X        
Create and dismiss alerts X X        
Cancel task of any user X X        
Pool management X X        
Live migration X X X      
Storage live migration X X X      
VM advanced operations X X X      
VM create/destroy operations X X X X    
VM change CD media X X X X X  
VM change power state X X X X X  
View VM consoles X X X X X  
vApps (Add/Modify/Delete vApps) X X        
vApps (Start/Shutdown vApps) X X        
vApps (Add/Remove VMs to an existing vApp) X X        
vApps (View vApps) X X X X X X
XenCenter view management operations X X X X X  
Cancel own tasks X X X X X X
Read audit logs X X X X X X
Connect to pool and read all pool metadata X X X X X X
Configure virtual GPU X X        
View virtual GPU configuration X X X X X X
Access the config drive (CoreOS VMs only) X          
Scheduled Snapshots (Add/Remove VMs to existing Snapshots Schedules) X X X      
Scheduled Snapshots (Add/Modify/Delete Snapshot Schedules) X X        
Gather diagnostic information X X        
Configure changed block tracking X X X X    
List changed blocks X X X X X  
Configure PVS-Accelerator X X        
View PVS-Accelerator configuration X X X X X X

Definitions of permissions

Assign/modify roles:

  • Add/remove users
  • Add/remove roles from users
  • Enable and disable Active Directory integration (being joined to the domain)

This permission lets the user grant themselves any permission or perform any task.

Warning: This role lets the user disable the Active Directory integration and all subjects added from Active Directory.

Log in to server consoles:

  • Server console access through ssh
  • Server console access through XenCenter

Warning: With access to a root shell, the assignee can arbitrarily reconfigure the entire system, including RBAC.

Server backup/restore VM create/destroy operations:

  • Back up and restore servers
  • Back up and restore pool metadata

The capability to restore a backup lets the assignee revert RBAC configuration changes.

Import/export OVF/OVA packages and disk images:

  • Import OVF and OVA packages
  • Import disk images
  • Export VMs as OVF/OVA packages

Set cores-per-socket:

  • Set the number of cores per socket for the VM’s virtual CPUs

This permission enables the user to specify the topology for the VM’s virtual CPUs.

Convert VMs using Conversion Manager:

  • Convert VMware ESXi/vCenter VMs to Citrix Hypervisor VMs

This permission lets the user convert workloads from VMware to Citrix Hypervisor by copying batches of VMware ESXi/vCenter VMs to Citrix Hypervisor environment.

Switch-port locking:

  • Control traffic on a network

This permission lets the user block all traffic on a network by default, or define specific IP addresses from which a VM is allowed to send traffic.

Multipathing:

  • Enable multipathing
  • Disable multipathing

Log out active user connections:

  • Ability to disconnect logged in users

Create/dismiss alerts:

  • Configure XenCenter to generate alerts when resource usage crosses certain thresholds
  • Remove alerts from the Alerts view

Warning: A user with this permission can dismiss alerts for the entire pool.

Note: The ability to view alerts is part of the Connect to Pool and read all pool metadata permission.

Cancel task of any user:

  • Cancel any user’s running task

This permission lets the user request Citrix Hypervisor cancel an in-progress task initiated by any user.

Pool management:

  • Set pool properties (naming, default SRs)
  • Create a clustered pool
  • Enable, disable, and configure high availability
  • Set per-VM high availability restart priorities
  • Configure DR and perform DR failover, failback, and test failover operations
  • Enable, disable, and configure Workload Balancing (WLB)
  • Add and remove server from pool
  • Emergency transition to master
  • Emergency master address
  • Emergency recover pool members
  • Designate new master
  • Manage pool and server certificates
  • Patching
  • Set server properties
  • Configure server logging
  • Enable and disable servers
  • Shut down, reboot, and power-on servers
  • Restart toolstack
  • System status reports
  • Apply license
  • Live migration of all other VMs on a server to another server, because of maintenance mode, or high availability
  • Configure server management interface and secondary interfaces
  • Disable server management
  • Delete crashdumps
  • Add, edit, and remove networks
  • Add, edit, and remove PBDs/PIFs/VLANs/Bonds/SRs
  • Add, remove, and retrieve secrets

This permission includes all the actions required to maintain a pool.

Note: If the management interface is not functioning, no logins can authenticate except local root logins.

Live migration:

  • Migrate VMs from one host to another host when the VMs are on storage shared by both hosts

Storage live migration:

  • Migrate from one host to another host when the VMs are not on storage shared between the two hosts
  • Move Virtual Disk (VDIs) from one SR to another SR

VM advanced operations:

  • Adjust VM memory (through Dynamic Memory Control)
  • Create a VM snapshot with memory, take VM snapshots, and roll-back VMs
  • Migrate VMs
  • Start VMs, including specifying physical server
  • Resume VMs

This permission provides the assignee with enough privileges to start a VM on a different server if they are not satisfied with the server Citrix Hypervisor selected.

VM create/destroy operations:

  • Install or delete
  • Clone/copy VMs
  • Add, remove, and configure virtual disk/CD devices
  • Add, remove, and configure virtual network devices
  • Import/export XVA files
  • VM configuration change
  • Server backup/restore

VM change CD media:

  • Eject current CD
  • Insert new CD

Import/export OVF/OVA packages; import disk images

VM change power state:

  • Start VMs (automatic placement)
  • Shut down VMs
  • Reboot VMs
  • Suspend VMs
  • Resume VMs (automatic placement)

This permission does not include start_on, resume_on, and migrate, which are part of the VM advanced operations permission.

View VM consoles:

  • See and interact with VM consoles

This permission does not let the user view server consoles.

vApps (Add/Modify/Delete vApps):

  • Create a vApp
  • Delete a vApp
  • Change the properties of a vApp

vApps (Start/Shutdown vApps):

  • Start a vApp
  • Shutdown a vApp

vApps (Add/Remove VMs to an existing vApp):

  • Add a VM to a vApp.
  • Remove a VM from a vApp

vApps (View vApps):

  • View vApps in the pool

XenCenter view management operations:

  • Create and modify global XenCenter folders
  • Create and modify global XenCenter custom fields
  • Create and modify global XenCenter searches

Folders, custom fields, and searches are shared between all users accessing the pool

Cancel own tasks:

  • Lets a user cancel their own tasks

Read audit log:

  • Download the Citrix Hypervisor audit log

Connect to pool and read all pool metadata:

  • Log in to pool
  • View pool metadata
  • View historical performance data
  • View logged in users
  • View users and roles
  • View messages
  • Register for and receive events

Configure virtual GPU:

  • Specify a pool-wide placement policy
  • Assign a virtual GPU to a VM
  • Remove a virtual GPU from a VM
  • Modify allowed virtual GPU types
  • Create, destroy, or assign a GPU group

View virtual GPU configuration:

  • View GPUs, GPU placement policies, and virtual GPU assignments

Access the config drive (CoreOS VMs only):

  • Access the config driver of the VM

Scheduled Snapshots:

  • Add VMs to existing snapshot schedules
  • Remove VMs from existing snapshot schedules
  • Add snapshot schedules
  • Modify snapshot schedules
  • Delete snapshot schedules

Gather diagnostic information from Citrix Hypervisor:

  • Initiate GC collection and heap compaction
  • Gather garbage collection statistics
  • Gather database statistics
  • Gather network statistics

Configure changed block tracking:

  • Enable changed block tracking
  • Disable changed block tracking
  • Destroy the data associated with a snapshot and retain the metadata
  • Get the NBD connection information for a VDI

Changed block tracking can be enabled only for licensed instances of Citrix Hypervisor Premium Edition.

List changed blocks:

  • Compare two VDI snapshots and list the blocks that have changed between them

Configure PVS-Accelerator:

  • Enable PVS-Accelerator
  • Disable PVS-Accelerator
  • Update (PVS-Accelerator) cache configuration
  • Add/Remove (PVS-Accelerator) cache configuration

View PVS-Accelerator configuration:

  • View the status of PVS-Accelerator

Note:

Sometimes, a Read Only user cannot move a resource into a folder in XenCenter, even after receiving an elevation prompt and supplying the credentials of a more privileged user. In this case, log on to XenCenter as the more privileged user and retry the action.

How does Citrix Hypervisor compute the roles for the session?

  1. The subject is authenticated through the Active Directory server to verify which containing groups the subject may also belong to.

  2. Citrix Hypervisor then verifies which roles have been assigned both to the subject, and to its containing groups.

  3. As subjects can be members of multiple Active Directory groups, they inherit all of the permissions of the associated roles.

 In this illustration, as Subject 2 (Group 2) is the Pool Operator and User 1 is a member of Group 2, when Subject 3 (User 1) tries to log in, they inherit both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles. As the Pool Operator role is higher, the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.

RBAC roles and permissions