Role Based Access Control overview

The Role Based Access Control (RBAC) feature lets you assign predefined roles or sets of permissions to Active Directory users and groups. These permissions control the level of access XenServer administrators have to servers and pools. RBAC is configured and deployed at the pool level. Because users acquire permissions through their assigned role, assign a role to a user or their group to give them the required permissions.

Using Active Directory accounts for XenServer user accounts

RBAC lets you restrict which operations different groups of users can perform. This control reduces the likelihood of inexperienced users making disastrous accidental changes. Assigning RBAC roles also helps prevent unauthorized changes to your resource pools for compliance reasons. To facilitate compliance and auditing, RBAC also provides an audit log feature and its corresponding Workload Balancing Pool Audit Trail report. For more information, see Audit Changes.

Users map to Roles. Roles map to a set of Permissions.

RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.

RBAC process

The standard process for implementing RBAC and assigning a user or group a role consists of the following steps:

  1. Join the domain.
  2. Add an Active Directory user or group to the pool.
  3. Assign (or modify) the user or group’s RBAC role.

Local super user

The local super user (LSU), or root, is a special user account used for system administration and has all rights or permissions. In XenServer, the local super user is the default account at installation. The LSU is authenticated by XenServer and not an external authentication service. If the external authentication service fails, the LSU can still log in and manage the system. The LSU can always access XenServer physical server through SSH.

RBAC roles

XenServer comes with six pre-established roles that are designed to align with different functions in an IT organization.

  • Pool Administrator (Pool Admin). This role is the most powerful role available. Pool Admins have full access to all XenServer features and settings. They can perform all operations, including role and user management. They can grant access to XenServer console. As a best practice, Citrix recommends assigning this role to a limited number of users.


    The local super user (root) always has the Pool Admin role. The Pool Admin role has the same permissions as the local root.

    If you remove the Pool Admin role from a user, consider also changing the server root password and rotating the pool secret. For more information, see Pool Security.

  • Pool Operator (Pool Operator). This role is designed to let the assignee manage pool-wide resources. Management actions include creating storage, managing servers, managing patches, and creating pools. Pool Operators can configure pool resources. They also have full access to the following features: high availability, Workload Balancing, and patch management. Pool Operators cannot add users or modify roles.
  • Virtual Machine Power Administrator (VM Power Admin). This role has full access to VM and Template management. They can choose where to start VMs. They have full access to the dynamic memory control features and the VM snapshot feature. In addition, they can set the Home Server and choose where to run workloads. Assigning this role grants the assignee sufficient permissions to provision virtual machines for VM Operator use.
  • Virtual Machine Administrator (VM Admin). This role can manage VMs and Templates and access the storage necessary to complete these tasks. However, this role relies on XenServer to choose where to run workloads and must use the settings in templates for dynamic memory control and the Home Server. (This role cannot access the dynamic memory control features, make snapshots, set the Home Server or choose where to run workloads.)
  • Virtual Machine Operator (VM Operator). This role can use the VMs in a pool and manage their basic lifecycle. VM Operators can interact with the VM consoles and start or stop VMs, provided sufficient hardware resources are available. Likewise, VM Operators can perform start and stop lifecycle operations. The VM Operator role cannot create or destroy VMs, alter VM properties, or server resources.
  • Read-only (Read Only). This role can only view resource pool and performance data.

For information about the permissions associated with each role, see Definitions of RBAC roles and permissions. For information about how RBAC calculates which roles apply to a user, see Calculating RBAC roles.


When you create a user, you must first assign a role to the newly created user before they can use the account. XenServer does not automatically assign a role to the newly created user.

Role Based Access Control overview