Chapter 5. Users

This section describes the types of users in Red Hat Enterprise Virtualization Manager, how to set up user roles that control user permission levels, and how to manage users on the Red Hat Enterprise Virtualization platform. Red Hat Enterprise Virtualization relies on directory services for user authentication and information. Currently the two supported providers of directory services for use with the Red Hat Enterprise Virtualization Manager are Identity, Policy, and Audit (IPA) and Microsoft Active Directory.
There are two basic types of users in the Red Hat Enterprise Virtualization platform, end users who use and manage the virtual machines, and administrative users who are responsible for the supply of virtual machines and virtual infrastructure to the end users. Users are assigned roles that allow them to perform their tasks as required. The role with the highest level of permissions is the admin role, which allows a user to set up, manage, and optimize all aspects of the Red Hat Enterprise Virtualization platform. By setting up and configuring roles with permissions to perform actions and create objects, users can be provided with a range of permissions that allow the safe delegation of some administrative tasks to users without granting them complete administrative control.
Red Hat Enterprise Virtualization Manager provides a rich user interface that allows an administrator to manage their virtual infrastructure from a web browser allowing even the most advanced configurations such as network bonding and VLANs to be centrally managed from a graphical console.

Note

Users are not created in Red Hat Enterprise Virtualization platform, but in the Directory Services domain. Red Hat Enterprise Virtualization Manager can be configured to use multiple Directory Services domains.

5.1. Authorization Model

Red Hat Enterprise Virtualization applies authorization controls to each action performed in the system. Authorization is applied based on the combination of the three components in any action:
  • The user performing the action
  • The type of action being performed
  • The object on which the action is being performed
Actions
For an action to be successfully performed, the user must have the appropriate permission for the object being acted upon. Each type of action corresponds to a permission. There are many different permissions in the system, so for simplicity they are grouped together in roles.
Actions

Figure 5.1. Actions


Permissions
Permissions enable users to perform actions on objects, where objects are either individual objects or container objects.
Permissions & Roles

Figure 5.2. Permissions & Roles


Any permissions that apply to a container object also apply to all members of that container. The following diagram depicts the hierarchy of objects in the system.
Red Hat Enterprise Virtualization Object Hierarchy

Figure 5.3. Red Hat Enterprise Virtualization Object Hierarchy


Important — Actions can impact multiple objects

Some actions are performed on more than one object. For example, copying a template to another storage domain will impact both the template and the destination storage domain. The user performing an action must have appropriate permissions for all objects the action impacts.