Search

1.2. System Permissions

download PDF
Permissions enable users to perform actions on objects, where objects are either individual objects or container objects.
Permissions & Roles

Figure 1.4. Permissions & Roles

Any permissions that apply to a container object also apply to all members of that container. The following diagram depicts the hierarchy of objects in the system.
Red Hat Virtualization Object Hierarchy

Figure 1.5. Red Hat Virtualization Object Hierarchy

1.2.1. User Properties

Roles and permissions are the properties of the user. Roles are predefined sets of privileges that permit access to different levels of physical and virtual resources. Multilevel administration provides a finely grained hierarchy of permissions. For example, a data center administrator has permissions to manage all objects in the data center, while a host administrator has system administrator permissions to a single physical host. A user can have permissions to use a single virtual machine but not make any changes to the virtual machine configurations, while another user can be assigned system permissions to a virtual machine.

1.2.2. User and Administrator Roles

Red Hat Virtualization provides a range of pre-configured roles, from an administrator with system-wide permissions to an end user with access to a single virtual machine. While you cannot change or remove the default roles, you can clone and customize them, or create new roles according to your requirements. There are two types of roles:
  • Administrator Role: Allows access to the Administration Portal for managing physical and virtual resources. An administrator role confers permissions for actions to be performed in the User Portal; however, it has no bearing on what a user can see in the User Portal.
  • User Role: Allows access to the User Portal for managing and accessing virtual machines and templates. A user role determines what a user can see in the User Portal. Permissions granted to a user with an administrator role are reflected in the actions available to that user in the User Portal.
For example, if you have an administrator role on a cluster, you can manage all virtual machines in the cluster using the Administration Portal. However, you cannot access any of these virtual machines in the User Portal; this requires a user role.

1.2.3. User Roles Explained

The table below describes basic user roles which confer permissions to access and configure virtual machines in the User Portal.
Table 1.1. Red Hat Virtualization User Roles - Basic
Role Privileges Notes
UserRole Can access and use virtual machines and pools. Can log in to the User Portal, use assigned virtual machines and pools, view virtual machine state and details.
PowerUserRole Can create and manage virtual machines and templates. Apply this role to a user for the whole environment with the Configure window, or for specific data centers or clusters. For example, if a PowerUserRole is applied on a data center level, the PowerUser can create virtual machines and templates in the data center.
UserVmManager System administrator of a virtual machine. Can manage virtual machines and create and use snapshots. A user who creates a virtual machine in the User Portal is automatically assigned the UserVmManager role on the machine.
The table below describes advanced user roles which allow you to do more fine tuning of permissions for resources in the User Portal.
Table 1.2. Red Hat Virtualization User Roles - Advanced
Role Privileges Notes
UserTemplateBasedVm Limited privileges to only use Templates. Can use templates to create virtual machines.
DiskOperator Virtual disk user. Can use, view and edit virtual disks. Inherits permissions to use the virtual machine to which the virtual disk is attached.
VmCreator Can create virtual machines in the User Portal. This role is not applied to a specific virtual machine; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers or clusters. When applying this role to a cluster, you must also apply the DiskCreator role on an entire data center, or on specific storage domains.
TemplateCreator Can create, edit, manage and remove virtual machine templates within assigned resources. This role is not applied to a specific template; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers, clusters, or storage domains.
DiskCreator Can create, edit, manage and remove virtual disks within assigned clusters or data centers. This role is not applied to a specific virtual disk; apply this role to a user for the whole environment with the Configure window. Alternatively apply this role for specific data centers or storage domains.
TemplateOwner Can edit and delete the template, assign and manage user permissions for the template. This role is automatically assigned to the user who creates a template. Other users who do not have TemplateOwner permissions on a template cannot view or use the template.
VnicProfileUser Logical network and network interface user for virtual machine and template. Can attach or detach network interfaces from specific logical networks.

1.2.4. Administrator Roles Explained

The table below describes basic administrator roles which confer permissions to access and configure resources in the Administration Portal.
Table 1.3. Red Hat Virtualization System Administrator Roles - Basic
Role Privileges Notes
SuperUser System Administrator of the Red Hat Virtualization environment. Has full permissions across all objects and levels, can manage all objects across all data centers.
ClusterAdmin Cluster Administrator. Possesses administrative permissions for all objects underneath a specific cluster.
DataCenterAdmin Data Center Administrator. Possesses administrative permissions for all objects underneath a specific data center except for storage.

Important

Do not use the administrative user for the directory server as the Red Hat Virtualization administrative user. Create a user in the directory server specifically for use as the Red Hat Virtualization administrative user.
The table below describes advanced administrator roles which allow you to do more fine tuning of permissions for resources in the Administration Portal.
Table 1.4. Red Hat Virtualization System Administrator Roles - Advanced
Role Privileges Notes
TemplateAdmin Administrator of a virtual machine template. Can create, delete, and configure the storage domains and network details of templates, and move templates between domains.
StorageAdmin Storage Administrator. Can create, delete, configure, and manage an assigned storage domain.
HostAdmin Host Administrator. Can attach, remove, configure, and manage a specific host.
NetworkAdmin Network Administrator. Can configure and manage the network of a particular data center or cluster. A network administrator of a data center or cluster inherits network permissions for virtual pools within the cluster.
VmPoolAdmin System Administrator of a virtual pool. Can create, delete, and configure a virtual pool; assign and remove virtual pool users; and perform basic operations on a virtual machine in the pool.
GlusterAdmin Gluster Storage Administrator. Can create, delete, configure, and manage Gluster storage volumes.
VmImporterExporter Import and export Administrator of a virtual machine. Can import and export virtual machines. Able to view all virtual machines and templates exported by other users.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.