Definitions of RBAC roles and permissions 编辑

Permissions available for each role

The following table summarizes which permissions are available for each role. For details on the operations available for each permission, see the next section.

Definitions of permissions

This section provides more details about permissions:

Assign/modify roles

• Add and remove users
• Add and remove roles from users
• Enable and disable Active Directory integration (being joined to the domain)

This permission lets the user grant themself any permission or perform any task.

Warning:

This role lets the user disable the Active Directory integration and all subjects added from Active Directory.

Log in to server consoles

• Server console access through ssh
• Server console access through Citrix Hypervisor Center

Warning:

With access to a root shell, the assignee can arbitrarily reconfigure the entire system, including RBAC.

Server backup/restore

• Back up and restore servers
• Back up and restore pool metadata

The ability to restore a backup lets the assignee revert RBAC configuration changes.

Install a TLS certificate on a server

This permission enables an administrator to install a TLS certificate on a server.

Rolling Pool Upgrade

• Upgrade all hosts in a pool using the Rolling Pool Upgrade wizard.

Import/export OVF/OVA packages; import disk images

• Import OVF and OVA packages
• Import disk images
• Export VMs as OVF/OVA packages

Set cores-per-socket

• Set the number of cores per socket for the VM’s virtual CPUs

This permission enables the user to specify the topology for the VM’s virtual CPUs.

Convert VMs using Citrix Hypervisor Conversion Manager

• Convert VMware VMs to Citrix Hypervisor VMs

This permission lets the user convert workloads from VMware to Citrix Hypervisor. Convert these workloads by copying batches of VMware VMs to the Citrix Hypervisor environment.

Switch-port locking

• Control traffic on a network

This permission lets the user block all traffic on a network by default, or define specific IP addresses from which a VM can send traffic.

Multipathing

• Enable multipathing
• Disable multipathing

Log out active user connections

• Ability to disconnect logged in users

Create/dismiss alerts

• Configure Citrix Hypervisor Center to generate alerts when resource usage crosses certain thresholds
• Remove alerts from the Alerts view

Warning: A user with this permission can dismiss alerts for the entire pool.

Note: The ability to view alerts is part of the Connect to Pool and read all pool metadata permission.

Cancel task of any user

• Cancel any user’s running task

This permission lets the user request Citrix Hypervisor cancel an in-progress task initiated by any user.

Pool management

• Set pool properties (naming, default SRs)
• Create a clustered pool
• Enable, disable, and configure HA
• Set per-VM HA restart priorities
• Configure DR and perform DR failover, failback, and test failover operations.
• Enable, disable, and configure Workload Balancing (WLB)
• Add and remove server from pool
• Emergency transition to pool coordinator
• Emergency pool coordinator address
• Emergency recovery of pool members
• Designate new pool coordinator
• Manage pool and server certificates
• Patching
• Set server properties
• Configure server logging
• Enable and disable servers
• Shut down, reboot, and power-on servers
• Restart toolstack
• System status reports
• Apply license
• Live migration of all other VMs on a server to another server, due to either WLB, maintenance mode, or high availability
• Configure server management interfaces and secondary interfaces
• Disable server management
• Delete crashdumps
• Add, edit, and remove networks
• Add, edit, and remove PBDs/PIFs/VLANs/Bonds/SRs

Live migration

• Migrate VMs from one host to another host when the VMs are on storage shared by both hosts

Storage live migration

• Migrate from one host to another host when the VMs are not on storage shared between the two hosts
• Move Virtual Disk (VDIs) from one SR to another SR

VM advanced operations

• Create a VM snapshot with memory, take VM snapshots, and roll-back VMs
• Migrate VMs
• Start VMs, including specifying physical server
• Resume VMs

Log in to server consoles

VM create/destroy operations

• Install and delete VMs
• Clone/copy VMs
• Add, remove, and configure virtual disk/CD devices
• Add, remove, and configure virtual network devices
• Import/export XVA files
• VM configuration change

Note:

The VM Admin role can import XVA files only into a pool with a shared SR. The VM Admin role does not have permission to import an XVA file into a server or a pool without shared storage.

VM change CD media

• Eject current CD
• Insert new CD

Import/export OVF/OVA packages; import disk images

VM change power state

• Start VMs (automatic placement)
• Shut down VMs
• Reboot VMs
• Suspend VMs
• Resume VMs (automatic placement)

Log out active user connections

View VM consoles

• See and interact with VM consoles

Create/dismiss alerts

Configure, initialize, enable, disable WLB

• Configure WLB
• Initialize WLB and change WLB servers
• Enable WLB
• Disable WLB

Apply WLB optimization recommendations

• Apply any optimization recommendations that appear in the WLB tab

Modify WLB report subscriptions

• Change the WLB report generated or its recipient

Accept WLB placement recommendations

• Select one of the servers Workload Balancing recommends for placement (“star” recommendations)

Display WLB configuration

• View WLB settings for a pool as shown on the WLB tab

Generate WLB reports

• View and run WLB reports, including the Pool Audit Trail report

Citrix Hypervisor Center view management operations

• Create and modify global Citrix Hypervisor Center folders
• Create and modify global Citrix Hypervisor Center custom fields
• Create and modify global Citrix Hypervisor Center searches

View VM consoles

Cancel own tasks

• Enables users to cancel their own tasks

Read audit log

• Download Citrix Hypervisor audit log

Apply WLB Optimization Recommendations

Connect to pool and read all pool metadata

• Log in to pool
• View pool metadata
• View historical performance data
• View logged in users
• View users and roles
• View tasks
• View messages
• Register for and receive events

Modify WLB Report Subscriptions

Configure virtual GPU

• Specify a pool-wide placement policy
• Assign a virtual GPU to a VM
• Remove a virtual GPU from a VM
• Modify allowed virtual GPU types
• Create, destroy, or assign a GPU group

View virtual GPU configuration

• View GPUs, GPU placement policies, and virtual GPU assignments.

Access the config drive (CoreOS VMs only)

• Access the config driver of the VM
• Modify the cloud-config parameters

Gather diagnostic information from Citrix Hypervisor

• Initiate GC collection and heap compaction
• Gather garbage collection statistics
• Gather database statistics
• Gather network statistics

Configure changed block tracking

• Enable changed block tracking
• Disable changed block tracking
• Destroy the data associated with a snapshot and retain the metadata
• Get the NBD connection information for a VDI
• Export a VDI over an NBD connection

Changed block tracking can be enabled only for licensed instances of Citrix Hypervisor Premium Edition.

List changed blocks

• Compare two VDI snapshots and list the blocks that have changed between them.

Configure PVS-Accelerator

• Enable PVS-Accelerator
• Disable PVS-Accelerator
• Update PVS-Accelerator cache configuration
• Add or Remove PVS-Accelerator cache configuration

View PVS-Accelerator configuration

• View the status of PVS-Accelerator

Scheduled snapshots

• Add VMs to existing snapshot schedules
• Remove VMs from existing snapshot schedules
• Add snapshot schedules
• Modify snapshot schedules
• Delete snapshot schedules