Users, Roles, and Permissions

Oracle Linux Virtualization Manager has two types of user domains: local and external. During the installation of the Manager, a default local domain called the internal domain is created with a default admin@internal user. This account is intended for use when initially configuring the environment and for troubleshooting.

You can create extra users on the internal domain using ovirt-aaa-jdbc-tool command utility. For more information about creating users, see Administering User and Group Accounts from the Command Line in the Oracle Linux Virtualization Manager: Administration Guide.

User properties consist of the roles and permissions assigned to a user. The security roles for all actions and objects in the platform are granular, inheritable, and provide for multilevel administration.

Roles are sets of permissions defined in the Administration Portal and are used to specify permissions to resources in the environment. The roles are:

  • Administrator Role - Conveys management permissions of physical and virtual resources through the Administration Portal. Examples of roles within this group are SuperUser, ClusterAdmin, and DataCenterAdmin.

  • User Role - Conveys permissions for managing and accessing virtual machines and templates through the VM Portal by filtering what's visible to a user. Roles can be assigned to the users for individual resources, or levels of objects. Examples of roles within this group are UserRole, PowerUserRole, and UserVmManager.

You can create new roles with specific permissions applicable to a user's role within the environment. You can also remove specific permissions to a resource from a role assigned to a specific user.

You can use an external directory server to provide user account and authentication services: Active Directory, OpenLDAP, and 389ds. Use the ovirt-engine-extension-aaa-ldap-setup command to configure the connection to these directories.

Note:

After you have attached an external directory server, added the directory users, and assigned them with appropriate roles and permissions, the admin@internal user can be disabled if it's not required. For more information, see Disabling User Accounts in the Oracle Linux Virtualization Manager: Administration Guide.

For more information on users, roles, and permissions, see Global Configuration in the Oracle Linux Virtualization Manager: Administration Guide.