11.7. Managing User/Group Permissions¶
The main idea of the role-based access control functionality consists in granting a user (or several users within one and the same group) access to the physical server or its virtual environments, thus, allowing them to log in to this physical server/virtual environment(s) by means of Virtuozzo Automator and to perform a number of operations on them in accordance with the rights and permissions assigned to the user (or group). So, in the VA security model any user/group is characterized by the permissions deduced from the roles assigned to the user (group) and allowing her/him to complete certain tasks in the physical server/virtual environment context.
11.7.1. Creating Permissions¶
To let a user perform tasks in Virtuozzo Automator, assign one or more roles to that user, either directly or by placing the user in a group with the role. Roles can be assigned by creating permissions for users or groups.
In terms of scope, permissions can be global (affecting the entire infrastructure) or limited to one or more physical servers, a logical folder, or a virtual environment.
Typically, you need to create a global permission to let the user log in to Virtuozzo Automator and then create a scoped permission to let the user perform needed tasks in the chosen context.
To create a global permission allowing selected users to log in to Virtuozzo Automator, do the following:
Open Setup > Security > Global Permissions and click New Permission.
On the New Permission screen, click Add User.
In the Specify Users pop-up window, click Search to update the user list, select one or more entries, and click Add Selected.
Back on the New Permission screen, select the role VA User and click >> to move it to the Selected list.
Click Save.
Now the selected users can log in to Virtuozzo Automator.
You can also create a similar permission for one or more groups and add users to them either while creating users or by configuring them on the Setup > Security > Users screen.
The procedure to grant a scoped permission to users is similar to the one described above:
Open the Security screen, depending on the scope:
Infrastructure > Security, for operations on the entire infrastructure
<node> > Security, for operations on a node,
<VE> > > Security, for operations on a virtual environment,
Logical View > Security, for operations
<subfolder> > Security, for operations on the entities in a subfolder
Click New Permission.
On the New Permission screen, click Add User.
In the Specify Users pop-up window, click Search to update the user list, select one or more entries, and click Add Selected.
Back on the New Permission screen, select one or more roles and click >> to move them to the Selected list.
Click Save.
You can also create a similar permission for one or more groups and add users to them either while creating users or by configuring them on the Setup > Security > Users screen.
Now the selected users can perform tasks according to the assigned roles in the chosen context.
11.7.1.1. Managing Physical Server Permissions¶
11.7.2. Viewing Physical Server Permissions¶
You can view the permissions of a user (group) to perform certain operations in the physical server context on the Security tab of the physical server. The Permissions table on this tab displays all the permissions currently existing in respect of the physical server. The information on permissions is presented in the following columns:
Column |
Description |
|---|---|
User or Group |
The user/group possessing the given permission. |
Assigned Role |
The role assigned to the user/group and defining the set of privileges for this user/group. |
Authentication Database |
The name of the authentication database the user/group belongs to. |
By default, 20 permissions are displayed on a page. To change the number of permissions shown per page, click the appropriate link below the table. You can also filter the permissions shown in the Permissions table. To do that, click Show Search, enter search patterns in the search fields, and click Search. To change what search fields are displayed, click Customize. To have the full list of permissions back, click Reset Results. To change the permissions order in the table, click the corresponding column name.
On the Permissions tab you can:
Remove an existing permission by selecting the check box near the corresponding user and clicking the Delete button.
Create a new permission by following the New Permission link at the top of the Users table.
11.7.3. Creating Physical Server Permissions¶
The New Permission screen allows you to assign roles to users/groups, thus, endowing these users/groups with certain rights in respect of the given physical server. This screen can be accessed by clicking New Permission on the Security tab of the physical server. For more information, see Creating Permissions.
11.7.3.1. Managing Container Permissions¶
11.7.4. Viewing Container Permissions¶
You can view the permissions of a user (group) to perform certain operations in the container context on the Security tab of the container. The Permissions table on this tab displays all the permissions currently existing in respect of the given container. For more information, see Viewing Physical Server Permissions.
11.7.5. Creating Container Permissions¶
The New Permission screen allows you to assign roles to users/groups, thus, endowing these users/groups with certain rights in respect of the given container. This screen can be accessed by clicking New Permission on the Security tab of the container. For more information, see Creating Permissions.
11.7.5.1. Managing Virtual Machine Permissions¶
11.7.6. Viewing Virtual Machine Permissions¶
You can view the permissions of a user (group) to perform certain operations in the virtual machine context on the Security tab of the virtual machine. The Permissions table on this tab displays all the permissions currently existing in respect of the given virtual machine. For more information, see Viewing Physical Server Permissions.
11.7.7. Creating Virtual Machine Permissions¶
The Add Permission screen allows you to assign roles to users or groups, thus, endowing these users or groups with certain rights in respect of the virtual machine. This screen can be accessed by clicking New Permission on the Security tab of the virtual machine. For more information, see Creating Permissions.
11.7.7.1. Managing Server Group Permissions¶
11.7.8. Viewing Server Group Permissions¶
You can view the permissions of a user (group), allowing her/him to perform certain operations on all physical servers included in the Server Group, on the Global Permissions tab of the Security window which can be accessed by following the Security link on the Virtuozzo Automator main menu. The Permissions table on this tab displays all the permissions currently existing in respect of the Server Group. For more information, see Viewing Physical Server Permissions.
Note
If you have one physical server registered in Virtuozzo Automator, the Permissions table will display the permissions for this physical server only.
11.7.9. Creating Server Group Permissions¶
The New Permission screen allows you to assign roles to users/groups, thus, endowing these users/groups with certain rights to manage all the physical servers included in the Server Group and all their virtual environments. This screen can be accessed by following the Security link on the Virtuozzo Automator main menu, clicking the Global Permissions tab on the Security screen, and clicking New Permission on this tab. For more information, see Creating Permissions.
11.7.9.1. Managing Logical Unit Permissions¶
11.7.10. Viewing Logical Unit Permissions¶
You can view the permissions of a user (group), allowing her/him to perform certain operations on all physical servers and virtual environments included in the given logical unit, on the Permissions tab of the Logical View window which can be accessed by following the Logical View link on the Virtuozzo Automator main menu. The Permissions table on this tab displays all the permissions currently existing in respect of this logical unit. For more information, see Viewing Physical Server Permissions.
11.7.11. Creating Logical Unit Permissions¶
The New Permission screen allows you to assign roles to users/groups, thus, endowing these users/groups with certain rights to manage all the physical servers and virtual environments included in the given logical unit. This screen can be accessed by following the Logical View link on the Virtuozzo Automator main menu, clicking the Permissions tab on the Logical View screen, and clicking New Permission on this tab. For more information, see Creating Permissions.