Calculating RBAC roles


XenCenter YYYY.x.x is not yet supported for use with Citrix Hypervisor 8.2 CU1 in production environments. To manage your Citrix Hypervisor 8.2 CU1 production environment, use XenCenter 8.2.7. For more information, see the XenCenter 8.2.7 documentation.

You can install XenCenter 8.2.7 and XenCenter YYYY.x.x on the same system. Installing XenCenter YYYY.x.x does not overwrite your XenCenter 8.2.7 installation.

When I log in, how does XenServer compute the roles for the session?

  1. The Active Directory server authenticates the subject. During authentication, Active Directory also determines if the subject belongs to any other containing groups in Active Directory.

  2. XenServer then verifies the following information:

    • The roles assigned to the subject
    • The roles assigned to any Active Directory groups that the subject is a member of.
  3. XenServer applies the highest level of permissions to the subject. Because subjects can be members of multiple Active Directory groups, they inherit all permissions of the associated roles.

A diagram showing that Users can be in Groups in Active Directory. Both Users and Groups in Active Directory are mapped to Subjects in XenCenter. Subjects can have a role. Roles have a set of Permissions.

This illustration shows the following information:

  • Subject 2 (Group 2) is the Pool Operator.
  • User 1 is a member of Group 2.
  • When Subject 3 (User 1) tries to log in, they inherit both Subject 3 (VM Operator) and Group 2 (Pool Operator) roles.
  • The Pool Operator role is higher, so the resulting role for Subject 3 (User 1) is Pool Operator and not VM Operator.
Calculating RBAC roles