8.2. Oracle VDI Administrators

8.2.1. About Oracle VDI Role-Based Administration
8.2.2. How to Create Administrators and Assign Roles

8.2.1. About Oracle VDI Role-Based Administration

Oracle VDI administrators can be any valid user on an Oracle VDI host. They are identified by their login name. To able to administer Oracle VDI from any host in an Oracle VDI Center, the user account must exist on all hosts. Otherwise a user can only administer Oracle VDI on the hosts on which they have a user account.

By default, the root user is the only administrator on an Oracle VDI host. Other users can be granted administrative privileges. Oracle VDI uses role-based access control to restrict system access to the two main administrative areas, Companies and Desktop Providers. There are predefined roles to which administrators can be assigned to perform a job function.

There are three types of role:

  • Administrator : This type has full read and write access to an area.

  • Operator : This type has limited access to an area.

  • Monitor : This type has read-only access to an area.

There are six roles available in Oracle VDI:

  • Primary Administrator

    This role has full access to Oracle VDI. It can create, edit, and remove companies. The role inherits the Company Administrator and Desktop Provider Administrator roles.

  • Company Administrator

    This role can create and delete pools. It provides full access to the template management. The role inherits the Company Operator role.

  • Company Operator

    This role can edit pool settings and assign users to pools. It provides full access to the desktops. The role inherits the Company Monitor role.

  • Company Monitor

    This role can view all details in the Users and Pools area.

  • Desktop Provider Administrator

    This role can create, edit and delete desktop providers, and edit all settings. The role inherits the Desktop Provider Monitor role.

  • Desktop Provider Monitor

    This role can view all details in the Desktop Provider area.

The root user is a always a Primary Administrator. This user cannot change role or be deleted from the list of administrators.

An administrator can be assigned more than one role but there are restrictions on the combinations. An administrator can have only one of the following:

  • Primary Administrator role

  • One Company role

  • One Desktop Provider role

  • One Company role and one Desktop Provider role

Role-Based Administration in Oracle VDI Manager

The appearance of Oracle VDI Manager is restricted depending on the roles assigned to the administrator. The top-level categories are shown only if the administrator has the required viewing rights for that category, as follows:

  • The Users and Pools areas are shown to Company roles and the Primary Administrator role.

  • The Desktop Provider area is shown to Desktop Provider roles and the Primary Administrator role.

  • The Settings area is shown to the Primary Administrator role.

Cross-area links are disabled, if the administrator does not have the required viewing rights for the target area of the link.

Within an area, the appearance of Oracle VDI Manager is not changed depending on the roles assigned to the administrator. All buttons or action items appear active. When an administrator attempts to perform the operation that is not permitted, the operation fails and the following message is displayed:

You do not have sufficient administration rights to perform this operation.

Role-Based Administration on the Command Line

The vda command can be run by root and non-root users. All other Oracle VDI commands must be run by root.

Every time a non-root user runs a vda command, they are prompted to provide a password.

To run a vda command with an identity other than the current user, set the VDA_USERNAME environment variable to the required user name. When you run a command in this way, you enter the password of the VDA_USERNAME user.

If the administrator does not have the permission to run a vda subcommand, the command fails and the following message is displayed:

You do not have sufficient administration rights to perform this operation.

Role-Based Administration and Oracle VDI Web Services

Role-Based administration applies to Oracle VDI web services. A com.sun.vda.service.api.ServiceException is thrown if the credentials provided do not have the permissions to perform the requested operation.

8.2.2. How to Create Administrators and Assign Roles

To assign an administrator to a role, the administrator must be a valid user on the Oracle VDI host.

For more information about administrators and roles, see Section 8.2.1, “About Oracle VDI Role-Based Administration”.

Using Oracle VDI Manager, a Primary Administrator cannot edit their own role assignment, or remove their own user name from the list of administrators. These tasks must be performed by another Primary Administrator.

Oracle VDI Manager Steps

  1. Log in to Oracle VDI Manager as a Primary Administrator.

    Only a Primary Administrator can assign administration privileges. By default, the root user is a Primary Administrator.

  2. Go to Settings → VDI Center.

  3. Go to the Administrator tab.

    A list of configured administrators and their roles is displayed.

  4. Add an administrator.

    1. Click the New button.

    2. Type the login name of the administrator.

    3. Click OK.

    The new administrator is added to the list and is assigned the Company Monitor role by default.

  5. (Optional) Edit the role assignments for an administrator.

    1. In the list of administrators, click the administrator user name.

      The Role Assignment list is displayed.

    2. Select the check box for the role(s) you want to assign to the administrator and click the Save button.

    3. Click the Save button.

      A message is displayed that confirms the role assignments are updated.

CLI Steps

  1. On an Oracle VDI host and log in as a Primary Administrator.

    Only a Primary Administrator can assign administration privileges. By default, the root user is a Primary Administrator.

  2. Check whether the user is an administrator.

    # /opt/SUNWvda/sbin/vda admin-list
  3. List the available roles.

    # /opt/SUNWvda/sbin/vda role-list
  4. Assign roles to an administrator.

    # /opt/SUNWvda/sbin/vda admin-assign -r <role>,<role>... <username>

    For example:

    # /opt/SUNWvda/sbin/vda admin-assign -r company.monitor,provider.operator jsmith