5.2. User Properties

Roles and Permissions can be considered as the properties of the User object. Roles are predefined sets of privileges that can be configured from Red Hat Enterprise Virtualization Manager, permitting access and management to different levels of resources in the data center, to specific physical and virtual resources. Multi-level administration includes a hierarchy of permissions that can be configured to provide a finely grained model of permissions, or a wider level of permissions as required by your enterprise. For example, a data center administrator has permissions to manage all objects in the data center, while a host administrator has system administrator permissions to a single physical host. A user can have permissions to log into and use a single virtual machine but not make any changes to the virtual machine configurations, while another user can be assigned system permissions to a virtual machine, effectively acting as system administrator on the virtual machine.

5.2.1. Roles

Red Hat Enterprise Virtualization platform provides a range of pre-configured or default roles, from the Superuser or system administration of the platform, to an end user with permissions to access a single virtual machine only. There are two types of system administration roles, roles with system permissions to physical resources, such as hosts and storage; and roles with system permissions to virtual resources such as virtual machines and pools. While you cannot change the default roles, you can clone them, and then customize the new roles as required.
There are two types of roles in Red Hat Enterprise Virtualization, administrator roles and user roles. The privileges provided by these roles are shown in this section.

Note

The default roles cannot be removed from the platform, or privileges cannot be modified, however the name and descriptions can be changed.

Role Types

  • Administrator Role: Allows access to the Administration Portal for managing virtual resources. An administrator role does not confer any permissions for the User Portal.
  • User Role: Allows access to the User Portal for managing and accessing virtual machines. A user role does not confer any permissions for the Administration Portal.
For example, if a user has an administrator role on a cluster, they could manage all virtual machines in the cluster using the Administration Portal. They could not access any of these virtual machines in the user portal; this would require a user role.

Table 5.1. Red Hat Enterprise Virtualization User Roles

Role Privileges Notes
UserRole User privileges View resource state and details. View all the resource tabs. Can perform basic operations on the virtual machine and connect to the virtual machine. This role also has permissions to use a virtual machine in a pool.
PowerUserRole Allowed to create and manage virtual machines and templates Can change the CD and add, remove, and set access privileges for all the users and groups, for all physical and virtual resources in the data center.
UserVmManager Access to Virtual Machines and Pools. Level of privileges allow the user to administer virtual machines, including configuring network and storage, manipulating snapshots and migrating virtual machines. System administrator of a virtual machine.
UserTemplateBasedVm Limited privileges to only use Templates Level of privilege to create a virtual machine by means of a template.

Table 5.2. Red Hat Enterprise Virtualization System Administrator Roles

Role Privileges Notes
HostAdmin Host Administrator Can attach, remove, configure and manage a specific host.
NetworkAdmin Network Administrator Can configure and manage the network of a particular data center, cluster or host. A network administrator of a data center or cluster will have inherited network permissions for virtual pools within the cluster as well.
VMPoolAdmin System Administrator role of a virtual pool. Can create, delete, and configure a virtual pool, and perform basic operations on a virtual machine.
TemplateAdmin Can perform all operations on templates. Has privileges to create, delete and configure storage domains as well as network details in addition to moving templates between domains.
SuperUser Full permissions across all objects and levels Can manage all objects across all data centers.
ClusterAdmin Cluster Administrator Can use, create, delete, manage all physical and virtual resources in a specific cluster, including hosts, templates and virtual machines.
DataCenterAdmin Data Center Administrator Can use, create, delete, manage all physical and virtual resources within a specific data center, including clusters, hosts, templates and virtual machines.
ClusterAdmin Cluster Administrator Can use, create, delete, manage all physical and virtual resources in a specific cluster, including hosts, templates and virtual machines.
StorageAdmin Storage Administrator Can create, delete, configure and manage a specific storage domain.