Chapter 14. Managing Multilevel Administration

This section describes how to set up user roles that control levels of permissions to different objects and actions in your virtualized environment. Red Hat Enterprise Virtualization supports multilevel administration. This means that users can be assigned a variety of permissions to specific objects, using a number of default roles. In addition, customized roles can be created and assigned to users.
Red Hat Enterprise Virtualization relies on directory services for user authentication. Currently the two supported providers of directory services for use with the Red Hat Enterprise Virtualization Manager are Identity, Policy, and Audit (IPA) and Active Directory.

Note

Users are not created in Red Hat Enterprise Virtualization platform, but in the Directory Services domain. Red Hat Enterprise Virtualization Manager can be configured to use multiple Directory Services domains. See the Red Hat Enterprise Virtualization Installation Guide for more information.

14.1. Configuring Roles

Roles are predefined sets of privileges that can be configured from Red Hat Enterprise Virtualization Manager, providing access and management permissions to different levels of resources in the data center, to specific physical and virtual resources. Permissions enable users to perform actions on objects, as explained in Section 5.1, “Authorization Model”.
With multilevel administration, any permissions which apply to a container object also apply to all individual objects within that container. For example, when a host administrator role is assigned to a user on a specific host, the user gains permissions to perform any of the available host operations, but only on the assigned host. However, if the host administrator role is assigned to a user on a data center, the user gains permissions to perform host operations on all hosts within the cluster of the data center.

14.1.1. Roles

There are two types of roles in Red Hat Enterprise Virtualization, administrator roles and user roles. See Table 5.1, “Red Hat Enterprise Virtualization User Roles” for details on roles.

Role Types

  • Administrator - Allows access to the Administration Portal for managing virtual resources. An administrator role does not confer any permissions for the user portal.
  • User - Allows access to the User Portal for managing and accessing virtual machines. A user role does not confer any permissions for the Administration Portal
For example, if a user has an administrator role on a cluster, they can manage all virtual machines in the cluster using the Administration Portal. They cannot access any of these virtual machines in the User Portal; this requires a user role.
The default roles cannot be removed from the platform, and their privileges cannot be modified. However, you can clone them, and then customize the new roles as required.

14.1.2. Creating Custom Roles

In addition to the default roles, you can set up custom roles that permit actions on objects, such as virtual machines, hosts and clusters, and assign privileges to specific entities. Use the roles to create a granular model of permissions to suit the needs of the enterprise or a group or set of users. Use the Configure option to work with roles. You can create a New role, Edit, Clone or Remove an existing role. In each case the appropriate dialog box displays.
Once the role is set up, you can assign the role to users as required.

To create a new role:

  1. On the header bar of the Red Hat Enterprise Virtualization Manager menu, click Configure. The Configure dialog box displays. The dialog box includes a list of default User and Administrator roles, and any custom roles.
  2. Click New. The New Role dialog box displays.
  3. Enter the Name and Description of the new role. This name will display in the list of roles.
  4. Select either Admin or User as the Account Type. If Admin is selected, this role displays with the administrator icon in the list.
  5. Use the Expand All or Collapse All buttons to view more or fewer of the permissions for the listed objects in the Check Boxes to Allow Action list. You can also expand or collapse the options for each object.
  6. For each of the objects, select or deselect the actions you wish to permit/deny for the role you are setting up.
  7. Click OK to apply the changes you have made. The new role displays on the list of roles.

14.1.3. Editing Roles

You may need to change the permissions, names or descriptions for the custom roles. Note that you cannot make changes to the default roles. To edit custom roles, you can use the Edit button on the Configure dialog box.

To edit a role:

  1. On the header bar of the Red Hat Enterprise Virtualization Manager menu, click Configure. The Configure dialog box displays. The dialog box below shows the list of Administrator roles.
  2. Click Edit. The Edit Role dialog box displays.
    The Edit Role Dialog Box

    Figure 14.1. The Edit Role Dialog Box


  3. If necessary, edit the Name and Description of the role. This name will display in the list of roles.
  4. Use the Expand All or Collapse All buttons to view more or fewer of the permissions for the listed objects. You can also expand or collapse the options for each object.
  5. For each of the objects, select or deselect the actions you wish to permit/deny for the role you are editing.
  6. Click OK to apply the changes you have made.

14.1.4. Cloning Roles

You can create a new role by cloning an existing default or custom role, and changing the permissions set as required. Use the Clone button on the Configure dialog box.

To clone a role:

  1. On the header bar of the Red Hat Enterprise Virtualization Manager menu, click Configure. The Configure dialog box displays. The dialog box includes a list of default roles, and any custom roles that exist on the platform.
    The Configure Dialog Box

    Figure 14.2. The Configure Dialog Box


  2. Click Clone. The Clone Role dialog box displays.
  3. Change the Name and Description of the new role. This name will display in the list of roles.
  4. Use the Expand All or Collapse All buttons to view more or fewer of the permissions for the listed objects. You can also expand or collapse the options for each object.
  5. For each of the objects, select or deselect the actions you wish to permit/deny for the role you are editing.
  6. Click Close to apply the changes you have made.