3.2 Administrator Privileges in Oracle VM

Each administrator should have an individual user account in order to access Oracle VM Servers and Oracle VM Manager.

Note

You can create unique user accounts for Oracle VM Manager with the Administrator Tool (ovm_admin). For more information, see Oracle VM Manager Administrator Tool (ovm_admin) in the Oracle VM Administrator's Guide.

The Oracle VM dom0 is a highly privileged environment. For maximum security, administrative access to it must be strictly controlled, limited to authorized individuals, and logged. It must be stressed that the recommended method for most Oracle VM management is through the graphical user interfaces provided by Oracle VM Manager, the Oracle VM Manager Command Line Interface, or Oracle Enterprise Manager Ops Center, rather than logging onto individual servers, except in specific situations where command line access to Oracle VM Servers is needed or recommended by Oracle Support Services.

That said, customers may choose to deploy "normal" Linux administrative controls and remain supported. A specific valid example includes modifying /etc/ssh/sshd_config and /etc/sudoers to prevent SSH root login and requiring administrators to login as themselves and use sudo to gain privileged access. Another valid example is modifying /etc/login.defs to control password length and expiration policies. Adding device drivers or rpms would be examples of changes that could harm supportability and proper function, and should only be done in consultation with Oracle VM Support. Customers are encouraged to carefully review their access and security controls for suitability in the Oracle VM environment.

End users of virtual machines in the Oracle VM environment should not be granted administrative rights. They should rather access their virtual machines directly via SSH, RDP or VNC. For large scale environments, instead apply role based access control via Oracle Enterprise Manager, as explained in Section 3.4, “User Access to Virtual Machines”.