Assign roles to users and groups

All XenServer users must have an RBAC role. In XenServer, you must first assign a role to the newly created user before they can use the account. XenServer does not automatically assign a role to the newly created user. As a result, these accounts do not have any access to the XenServer pool until you assign them a role.


Before you can assign a role to a user or group, you must add the user or group’s Active Directory account to the XenServer pool. Add the AD account after joining the associated domain. For more information, see Join a domain and add RBAC users.

You can assign a user a different role by one of the following methods:

  1. Change the role assigned to the user in the Select Roles dialog in XenCenter. This action requires the Assign/modify role permission, which is only available to a Pool Administrator.
  2. Modify the user’s group membership in your Active Directory to make the user part of a group that is assigned a different role.

If an administrator indirectly applies multiple roles to a user, XenServer grants the user the permissions from the highest role that the user is assigned to.

To change or assign a role to a user or group

  1. In the Resources pane, select the pool or server that contains the user or group.
  2. Select the Users tab.
  3. In the Users and Groups with Access pane, select the user or group to which you want to assign permissions.
  4. Select Change Role.
  5. In the Select Roles dialog, select the role you want to apply and click Save. For information about the permissions associated with each role, see Definitions of RBAC roles and permissions.


    When you are assigning a role, you can select multiple users simultaneously by pressing the CTRL key and selecting the user accounts.

  6. (Optional) When changing a role, if the user is logged on to the pool and you want them to receive their new permissions immediately, click Logout User. This action disconnects the user’s sessions on the pool so the user receives a new session with the modified role.


    When changing a role, the user must log out and log back in again for the new role to take effect. Force this log out by clicking the Logout User button. To force a logout, the user requires the Logout active user connections permission. This permission is available to a Pool Administrator or Pool Operator.


If you remove the Pool Admin role from a user, consider also changing the server root password and rotating the pool secret. For more information, see Pool Security.

Assign roles to users and groups