8.3. Oracle VDI Administrators

8.3.1. About Oracle VDI Role-Based Administration
8.3.2. Creating Administrators and Assigning Roles

8.3.1. About Oracle VDI Role-Based Administration

Oracle VDI administrators can be any valid user on an Oracle VDI host. They are identified by their login name. To be able to administer Oracle VDI from any host in an Oracle VDI Center, the user account must exist on all hosts. Otherwise a user can only administer Oracle VDI on the hosts on which they have a user account.

Oracle VDI uses role-based access control to restrict system access to the two main administrative areas, Companies and Desktop Providers. There are predefined roles to which administrators can be assigned to perform a job function.

There are three types of role:

  • Administrator : This type has full read and write access to an area.

  • Operator : This type has limited access to an area.

  • Monitor : This type has read-only access to an area.

There are six roles available in Oracle VDI:

  • Primary Administrator

    This role has full access to Oracle VDI. It can create, edit, and remove companies. The role inherits the Company Administrator and Desktop Provider Administrator roles.

  • Company Administrator

    This role can create and delete pools. It provides full access to the template management. The role inherits the Company Operator role.

  • Company Operator

    This role can edit pool settings and assign users to pools. It provides full access to the desktops. The role inherits the Company Monitor role.

  • Company Monitor

    This role can view all details in the Users and Pools area.

  • Desktop Provider Administrator

    This role can create, edit and delete desktop providers, and edit all settings. The role inherits the Desktop Provider Monitor role.

  • Desktop Provider Monitor

    This role can view all details in the Desktop Provider area.

When you configure a new Oracle VDI Center, you are prompted for the user name of the user that is to be assigned the Primary Administrator role. Other users can then be granted administrative privileges by this user. There must always be at least one Primary Administrator.

An administrator can be assigned more than one role but there are restrictions on the combinations. An administrator can have only one of the following:

  • Primary Administrator role

  • One Company role

  • One Desktop Provider role

  • One Company role and one Desktop Provider role

Role-Based Administration in Oracle VDI Manager

The appearance of Oracle VDI Manager is restricted depending on the roles assigned to the administrator. The top-level categories are shown only if the administrator has the required viewing rights for that category, as follows:

  • The Users and Pools areas are shown to Company roles and the Primary Administrator role.

  • The Desktop Provider area is shown to Desktop Provider roles and the Primary Administrator role.

  • The Settings area is shown to the Primary Administrator role.

Cross-area links are disabled, if the administrator does not have the required viewing rights for the target area of the link.

Within an area, the appearance of Oracle VDI Manager is not changed depending on the roles assigned to the administrator. All buttons or action items appear active. When an administrator attempts to perform the operation that is not permitted, the operation fails and the following message is displayed:

You do not have sufficient administration rights to perform this operation.

The root user is no different to any other user and can only access Oracle VDI Manager if they are assigned an administrator role.

In Oracle VDI Manager, a Primary Administrator cannot edit their own role assignments, or remove their own user name from the list of administrators. These tasks must be performed by another Primary Administrator.

Role-Based Administration on the Command Line

The vda command can be run by root and non-root users. All other Oracle VDI commands must be run either by root or by a user that has assumed the root role (Oracle Solaris platforms).

The root user can always run Oracle VDI commands, even if they are not assigned any administrator roles.

Every time a non-root user runs a vda command, they are prompted for a password.

To run a vda command with an identity other than the current user, set the VDA_USERNAME environment variable to the required user name. When you run a command in this way, you enter the password of the VDA_USERNAME user.

If the administrator does not have the permission to run a vda subcommand, the command fails and the following message is displayed:

You do not have sufficient administration rights to perform this operation.

On the command line, a Primary Administrator can edit their own role assignments and remove their own user name from the list of administrators.

Role-Based Administration and Oracle VDI Web Services

Role-Based administration applies to Oracle VDI web services. A com.sun.vda.service.api.ServiceException is thrown if the credentials provided do not have the permissions to perform the requested operation.

Role-Based Administration and the Enterprise Manager Plug-in for Oracle VDI

Role-Based administration applies to monitoring data collection by the Enterprise Manager Plug-in for Oracle VDI. To enable monitoring of Oracle VDI targets, the Management Agent, which is an Oracle Enterprise Manager component, establishes a secure connection to the Oracle VDI Center Agent. In this process, the Management Agent must authenticate as an Oracle VDI administrator.

For security and auditing purposes, it is recommended that you configure a dedicated administrator account for the plug-in. This administrator account requires the Company Monitor and Desktop Provider Monitor roles.

8.3.2. Creating Administrators and Assigning Roles

To assign an administrator to a role, the administrator must be a valid user on the Oracle VDI host.

For more information about administrators and roles, see Section 8.3.1, “About Oracle VDI Role-Based Administration”.

A Primary Administrator cannot edit their own role assignment, or remove their own user name from the list of administrators. These tasks must be performed by another Primary Administrator.

Oracle VDI Manager Steps

  1. Log in to Oracle VDI Manager as a Primary Administrator.

    Only a Primary Administrator can assign administration privileges.

  2. Go to Settings → VDI Center.

  3. Go to the Administrator tab.

    A list of configured administrators and their roles is displayed.

  4. Add an administrator.

    1. Click the New button.

    2. Type the login name of the administrator.

    3. Click OK.

    The new administrator is added to the list and is assigned the Company Monitor role by default.

  5. (Optional) Edit the role assignments for an administrator.

    1. In the list of administrators, click the administrator user name.

      The Role Assignment list is displayed.

    2. Select the check box for the role(s) you want to assign to the administrator and click the Save button.

    3. Click the Save button.

      A message is displayed that confirms the role assignments are updated.

Command Line Steps

  1. Log in as a Primary Administrator on an Oracle VDI host.

    Only a Primary Administrator, the root user, or a user that has assumed the root role (Oracle Solaris platforms) can assign administration privileges.

  2. Check whether the user is an administrator.

    # /opt/SUNWvda/sbin/vda admin-list
  3. List the available roles.

    # /opt/SUNWvda/sbin/vda role-list
  4. Assign roles to an administrator.

    # /opt/SUNWvda/sbin/vda admin-assign -r role username
    

    You can only assign one role at a time to a user.

    For example:

    # /opt/SUNWvda/sbin/vda admin-assign -r provider.operator jsmith