Chapter 7. Managing User Access

Chapter 7. Managing User Access

7.1. Assigning Permissions with User Roles
7.1.1. How User Roles Work
7.2. Managing Users
7.2.1. The User Access Page
7.2.2. Adding Users to a Pool
7.2.3. Changing Users Roles
7.2.4. Revoking User Permissions

oVirt's user access management is integrated with the Kerberos infrastructure that provides a single sign-on environment. oVirt is tightly integrated with the freeIPA project, so that administrators can authenticate, authorize, and audit their virtual resources across the enterprise. Permissions are defined by User Roles which allocate specific permissions to users in hardware or virtual pools. oVirt accesses the LDAP database for valid users, who can then be set up with permissions for oVirt resources.

Users must be logged in via Kerberos to access oVirt. oVirt user permissions determine the hardware and virtual pools that are accessible to the user.

7.1. Assigning Permissions with User Roles

oVirt has four hierarchical permission levels that are reflected in four User Roles. The top-level role implies all lower levels and so on, with each role assuming all the permissions of the roles beneath it. Thus, the top-level role of Super Admin has its own permissions as well as all the permissions of all the roles beneath it. In contrast, because Monitor is the lowest role, it has only its own permissions. Permission levels are attached to "pools", either hardware pools or VM resource pools, and they are inherited by subpools of those pools. Individual VMs do not have permission levels.

7.1.1. How User Roles Work

oVirt's hierarchical permissions model means that user permissions are set by the hardware administrator at the top level, and the finer detail is added by the team administrator:

  • Rather than specifying which box a particular application is running on, hardware administrators dedicate machines and storage to discrete groups, which then treat those resources generically.

  • Team administrators determine hardware and virtual resource usage based on software-defined resource limits and SLA definitions.

  • Users manage their own VMs, within their assigned quota/SLA, as required without requiring administrator attention.

7.1.1.1. User Roles in oVirt

Users are granted access in a particular role within a hardware or virtual pool. However users can be granted access to multiple pools, and can have different roles in different pools.

User Roles are:

  • User Admin or Super Admin

    A User Admin or Super Admin user can grant permissions and quota to other users, along with all other permissions. Typically the hardware administrator is the Super Admin, who can assign permissions to groups or teams, allowing access to resources and storage.

  • Administrator

    An Administrator can create and delete hardware pools and virtual machine resource pools, and create, delete, and manipulate the objects in those pools (hosts, storage servers, quota, VMs,). This includes the ability to create and delete VMs in a VM resource pool. Typically the team administrator is the Administrator. The Administrator must understand and determine the physical and virtual resource that a team requires for their work.

  • User

    A user can access a VM page and do the following (with a VM in a VM resource pool):

    • start

    • stop

    • suspend

    • resume

    • restore

    Typically, most users who need to use the VMs for their work will have this role.

  • Monitor or View

    A user with Monitor or View privileges can only view objects in the assigned VM pool.