Red Hat Training

A Red Hat training course is available for Red Hat Virtualization

6.8. Virtual Machines and Permissions

6.8.1. Managing System Permissions for a Virtual Machine

As the SuperUser, the system administrator manages all aspects of the Administration Portal. More specific administrative roles can be assigned to other users. These restricted administrator roles are useful for granting a user administrative privileges that limit them to a specific resource. For example, a DataCenterAdmin role has administrator privileges only for the assigned data center with the exception of the storage for that data center, and a ClusterAdmin has administrator privileges only for the assigned cluster.

A UserVmManager is a system administration role for virtual machines in a data center. This role can be applied to specific virtual machines, to a data center, or to the whole virtualized environment; this is useful to allow different users to manage certain virtual resources.

The user virtual machine administrator role permits the following actions:

  • Create, edit, and remove virtual machines.
  • Run, suspend, shutdown, and stop virtual machines.
Note

You can only assign roles and permissions to existing users.

Many end users are concerned solely with the virtual machine resources of the virtualized environment. As a result, Red Hat Virtualization provides several user roles which enable the user to manage virtual machines specifically, but not other resources in the data center.

6.8.2. Virtual Machine Administrator Roles Explained

The table below describes the administrator roles and privileges applicable to virtual machine administration.

Table 6.1. Red Hat Virtualization System Administrator Roles

RolePrivilegesNotes

DataCenterAdmin

Data Center Administrator

Possesses administrative permissions for all objects underneath a specific data center except for storage.

ClusterAdmin

Cluster Administrator

Possesses administrative permissions for all objects underneath a specific cluster.

NetworkAdmin

Network Administrator

Possesses administrative permissions for all operations on a specific logical network. Can configure and manage networks attached to virtual machines. To configure port mirroring on a virtual machine network, apply the NetworkAdmin role on the network and the UserVmManager role on the virtual machine.

6.8.3. Virtual Machine User Roles Explained

The table below describes the user roles and privileges applicable to virtual machine users. These roles allow access to the VM Portal for managing and accessing virtual machines, but they do not confer any permissions for the Administration Portal.

Table 6.2. Red Hat Virtualization System User Roles

RolePrivilegesNotes

UserRole

Can access and use virtual machines and pools.

Can log in to the VM Portal and use virtual machines and pools.

PowerUserRole

Can create and manage virtual machines and templates.

Apply this role to a user for the whole environment with the Configure window, or for specific data centers or clusters. For example, if a PowerUserRole is applied on a data center level, the PowerUser can create virtual machines and templates in the data center. Having a PowerUserRole is equivalent to having the VmCreator, DiskCreator, and TemplateCreator roles.

UserVmManager

System administrator of a virtual machine.

Can manage virtual machines and create and use snapshots. A user who creates a virtual machine in the VM Portal is automatically assigned the UserVmManager role on the machine.

UserTemplateBasedVm

Limited privileges to only use Templates.

Level of privilege to create a virtual machine by means of a template.

VmCreator

Can create virtual machines in the VM Portal.

This role is not applied to a specific virtual machine; apply this role to a user for the whole environment with the Configure window. When applying this role to a cluster, you must also apply the DiskCreator role on an entire data center, or on specific storage domains.

VnicProfileUser

Logical network and network interface user for virtual machines.

If the Allow all users to use this Network option was selected when a logical network is created, VnicProfileUser permissions are assigned to all users for the logical network. Users can then attach or detach virtual machine network interfaces to or from the logical network.

6.8.4. Assigning Virtual Machines to Users

If you are creating virtual machines for users other than yourself, you have to assign roles to the users before they can use the virtual machines. Note that permissions can only be assigned to existing users. See Users and Roles in the Administration Guide for details on creating user accounts.

The VM Portal supports three default roles: User, PowerUser and UserVmManager. However, customized roles can be configured via the Administration Portal. The default roles are described below.

  • A User can connect to and use virtual machines. This role is suitable for desktop end users performing day-to-day tasks.
  • A PowerUser can create virtual machines and view virtual resources. This role is suitable if you are an administrator or manager who needs to provide virtual resources for your employees.
  • A UserVmManager can edit and remove virtual machines, assign user permissions, use snapshots and use templates. It is suitable if you need to make configuration changes to your virtual environment.

When you create a virtual machine, you automatically inherit UserVmManager privileges. This enables you to make changes to the virtual machine and assign permissions to the users you manage, or users who are in your Identity Management (IdM) or RHDS group. See the Administration Guide for more information.

Assigning Permissions to Users

  1. Click ComputeVirtual Machines and select a virtual machine.
  2. Click the virtual machine’s name to go to the details view.
  3. Click the Permissions tab.
  4. Click Add.
  5. Enter a name, or user name, or part thereof in the Search text box, and click Go. A list of possible matches display in the results list.
  6. Select the check box of the user to be assigned the permissions.
  7. Select UserRole from the Role to Assign drop-down list.
  8. Click OK.

The user’s name and role display in the list of users permitted to access this virtual machine.

Note

If a user is assigned permissions to only one virtual machine, single sign-on (SSO) can be configured for the virtual machine. With single sign-on enabled, when a user logs in to the VM Portal, and then connects to a virtual machine through, for example, a SPICE console, users are automatically logged in to the virtual machine and do not need to type in the user name and password again. Single sign-on can be enabled or disabled on a per virtual machine basis. See Section 4.2, “Configuring Single Sign-On for Virtual Machines” for more information on how to enable and disable single sign-on for virtual machines.

6.8.5. Removing Access to Virtual Machines from Users

Removing Access to Virtual Machines from Users

  1. Click ComputeVirtual Machines.
  2. Click the virtual machine’s name to go to the details view.
  3. Click Permissions.
  4. Click Remove. A warning message displays, asking you to confirm removal of the selected permissions.
  5. To proceed, click OK. To abort, click Cancel.