Users, Roles, and Permissions

Oracle Linux Virtualization Manager supports two types of user domains:

  • Keycloak SSO domain: A modern authentication domain (default in 4.5+) that uses Keycloak for Single Sign-On (SSO). Keycloak supports local users, federation with Active Directory or LDAP, multifactor authentication (MFA), and modern identity standards.

  • Internal domain (legacy AAA): A classic, built-in authentication mode backed by an internal user database. This domain can be retained for initial setup, emergencies, or legacy compatibility.

When Keycloak SSO is enabled, the default administrative user created during installation is admin@ovirt. The internal domain uses admin@internal.

You can create additional users in the internal (legacy AAA) domain using the ovirt-aaa-jdbc-tool utility. For more information, see Administering User and Group Accounts from the Command Line in the Oracle Linux Virtualization Manager: Administrator's Guide.

User properties consist of the roles and permissions assigned to a user. The security roles for all actions and objects in the platform are granular, inheritable, and provide for multilevel administration.

Roles are sets of permissions defined in the Administration Portal and are used to specify permissions to resources in the environment. The roles are:

  • Administrator Role - Conveys management permissions of physical and virtual resources through the Administration Portal. Examples of roles within this group are SuperUser, ClusterAdmin, and DataCenterAdmin.

  • User Role - Conveys permissions for managing and accessing virtual machines and templates through the VM Portal by filtering what's visible to a user. Roles can be assigned to the users for individual resources, or levels of objects. Examples of roles within this group are UserRole, PowerUserRole, and UserVmManager.

You can create new roles with specific permissions applicable to a user's role within the environment. You can also remove specific permissions to a resource from a role assigned to a specific user.

Oracle recommends managing user federation through Keycloak. Keycloak can federate with Active Directory, OpenLDAP, and other LDAP servers. After federation is configured in Keycloak, you assign roles and permissions to the federated users and groups in the Manager Administration Portal.

Note:

After you have configured Keycloak federation and assigned roles and permissions, consider restricting use of the legacy admin@internal account and the internal domain to recovery scenarios. For more information, see Keycloak Integration and Management in the Oracle Linux Virtualization Manager: Administrator's Guide.

For more information on users, roles, and permissions, see Global Configuration in the Oracle Linux Virtualization Manager: Administration Guide.