Users, Roles, and Permissions

In Oracle Linux Virtualization Manager, there are two types of user domains: local domain and external domain. During the installation of the Manager, a default local domain called the internal domain is created with a default admin@internal user. This account is intended for use when initially configuring the environment and for troubleshooting.

You can create additional users on the internal domain using ovirt-aaa-jdbc-tool command utility. For more information about creating users, see Administering User and Group Accounts from the Command Line in the Oracle Linux Virtualization Manager: Administration Guide.

User properties consist of the roles and permissions assigned to a user. The security roles for all actions and objects in the platform are granular, inheritable, and provide for multi-level administration.

Roles are sets of permissions defined in the Administration Portal and are used to specify permissions to resources in the environment. There are two types of roles:

  • Administrator Role - Conveys management permissions of physical and virtual resources through the Administration Portal. Examples of roles within this group are SuperUser, ClusterAdmin and DataCenterAdmin.

  • User Role - Conveys permissions for managing and accessing virtual machines and templates through the VM Portal by filtering what is visible to a user. Roles can be assigned to the users for individual resources, or levels of objects. Examples of roles within this group are UserRole, PowerUserRole and UserVmManager.

It is possible to create new roles with specific permissions applicable to a user's role within the environment. It is also possible to remove specific permissions to a resource from a role assigned to a specific user.

You can also use an external directory server to provide user account and authentication services. You can use Active Directory, OpenLDAP, and 389ds. Use the ovirt-engine-extension-aaa-ldap-setup command to configure the connection to these directories.

Note:

After you have attached an external directory server, added the directory users, and assigned them with appropriate roles and permissions, the admin@internal user can be disabled if it is not required. For more information, see Disabling User Accounts in the Oracle Linux Virtualization Manager: Administration Guide.

For more information on users, roles, and permissions, see Global Configuration in the Oracle Linux Virtualization Manager: Administration Guide.