11
Table 2. Definitions of permissions
Permission Allows Assignee To Rationale/Comments
Assign/modify roles • Add/remove users
• Add/remove roles from users
• Enable and disable Active
Directory integration (being
joined to the domain)
This permission lets the user
grant himself or herself any
permission or perform any task.
Warning: This role lets the user
disable the Active Directory
integration and all subjects
added from Active Directory.
Log in to server consoles • Server console access
through ssh
• Server console access
through XenCenter
Warning: With access to a
root shell, the assignee could
arbitrarily reconfigure the entire
system, including RBAC.
Server backup/restore VM
create/destroy operations
• Back up and restore servers
• Back up and restore pool
metadata
The ability to restore a backup
lets the assignee revert RBAC
configuration changes.
Log out active user connections • Ability to disconnect logged in
users
Create/dismiss alerts Warning: A user with this
permission can dismiss alerts for
the entire pool.
Note: The ability to view alerts
is part of the Connect to Pool
and read all pool metadata
permission.
Cancel task of any user • Cancel any user's running
task
This permission lets the user
request XenServer cancel an in-
progress task initiated by any
user.
