Role Based Access Control overview 编辑

The Role Based Access Control (RBAC) feature lets you assign predefined roles or sets of permissions to Active Directory users and groups. These permissions control the level of access Citrix Hypervisor administrators have to servers and pools. RBAC is configured and deployed at the pool level. Because users acquire permissions through their assigned role, assign a role to a user or their group to give them the required permissions.

Using Active Directory accounts for Citrix Hypervisor user accounts

RBAC lets you restrict which operations different groups of users can perform. This control reduces the likelihood of inexperienced users making disastrous accidental changes. Assigning RBAC roles also helps prevent unauthorized changes to your resource pools for compliance reasons. To facilitate compliance and auditing, RBAC also provides an audit log feature and its corresponding Workload Balancing Pool Audit Trail report. For more information, see Audit Changes.

Users map to Roles. Roles map to a set of Permissions.

RBAC depends on Active Directory for authentication services. Specifically, Citrix Hypervisor keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.

RBAC process

The standard process for implementing RBAC and assigning a user or group a role consists of the following steps:

  1. Join the domain.
  2. Add an Active Directory user or group to the pool.
  3. Assign (or modify) the user or group’s RBAC role.

Local super user

The local super user (LSU), or root, is a special user account used for system administration and has all rights or permissions. In Citrix Hypervisor, the local super user is the default account at installation. The LSU is authenticated by Citrix Hypervisor and not an external authentication service. If the external authentication service fails, the LSU can still log in and manage the system. The LSU can always access Citrix Hypervisor physical server through SSH.

RBAC roles

Citrix Hypervisor comes with six pre-established roles that are designed to align with different functions in an IT organization.

  • Pool Administrator (Pool Admin). This role is the most powerful role available. Pool Admins have full access to all Citrix Hypervisor features and settings. They can perform all operations, including role and user management. They can grant access to Citrix Hypervisor console. As a best practice, Citrix recommends assigning this role to a limited number of users.

    Note:

    The local super user (root) always has the Pool Admin role. The Pool Admin role has the same permissions as the local root.

    If you remove the Pool Admin role from a user, consider also changing the server root password and rotating the pool secret. For more information, see Pool Security.

  • Pool Operator (Pool Operator). This role is designed to let the assignee manage pool-wide resources. Management actions include creating storage, managing servers, managing patches, and creating pools. Pool Operators can configure pool resources. They also have full access to the following features: high availability, Workload Balancing, and patch management. Pool Operators cannot add users or modify roles.
  • Virtual Machine Power Administrator (VM Power Admin). This role has full access to VM and Template management. They can choose where to start VMs. They have full access to the VM snapshot feature. In addition, they can set the Home Server and choose where to run workloads. Assigning this role grants the assignee sufficient permissions to provision virtual machines for VM Operator use.
  • Virtual Machine Administrator (VM Admin). This role can manage VMs and Templates and access the storage necessary to complete these tasks. However, this role relies on Citrix Hypervisor to choose where to run workloads and must use the settings in templates for the home server. (This role cannot make snapshots, set the home server or choose where to run workloads.)
  • Virtual Machine Operator (VM Operator). This role can use the VMs in a pool and manage their basic lifecycle. VM Operators can interact with the VM consoles and start or stop VMs, provided sufficient hardware resources are available. Likewise, VM Operators can perform start and stop lifecycle operations. The VM Operator role cannot create or destroy VMs, alter VM properties, or server resources.
  • Read-only (Read Only). This role can only view resource pool and performance data.

For information about the permissions associated with each role, see Definitions of RBAC roles and permissions. For information about how RBAC calculates which roles apply to a user, see Calculating RBAC roles.

Note:

When you create a user, you must first assign a role to the newly created user before they can use the account. Citrix Hypervisor does not automatically assign a role to the newly created user.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:75 次

字数:6484

最后编辑:8 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文