11.1. Understanding Role-Based Access Administration in Virtuozzo Automator

As the Virtuozzo datacenter administrator, you can use the credentials of the root user having a full administrative access to the physical servers to manage these physical servers and all their virtual environments by means of Virtuozzo Automator. However, you may want to grant the rights to other users to perform certain operations on a physical server and/or its virtual environments. For example, you can allow some user to manage certain virtual environments without having access to the remaining virtual environments on the physical server and/or to the physical server itself or to complete only a restricted set of tasks in the virtual environment context (e.g. start, stop, and restart a virtual environment without having the right to back up this virtual environment or configure its resources).

To achieve this goal, a well-balanced user authentication and authorization strategy has been implemented. This strategy is based on the following main components:

  • users;
  • groups;
  • permissions;
  • roles;
  • authentication databases.

The relationship among these components is described as follows. Users are objects characterized by the roles delegated to them in a certain scope. Users can be members of groups. Users and groups can be retrieved either from local databases or from databases on external computers in your network. The information on these databases is stored on the physical server in the form of authentication databases. Roles are sets of abstract privileges that can be assigned to a user or a group to form a permission. Permissions enable users or groups to perform certain operations in different scopes, which can be represented by one of the following entities:

  • virtual environments;
  • physical servers;
  • logical units;
  • server group.

The latter two scopes are only available if you have the Server Group Operations license installed on your physical server.

Virtuozzo Automator allows you to manage any of the aforementioned components in the following way:

  • View the users currently existing on the physical server, create a new user, edit its properties (e.g. add users to groups), and remove an existing user from the physical server.
  • View the groups currently existing on the physical server, create a new group, edit its properties, and remove an existing group from the physical server.
  • View the roles currently existing on the physical server, create a new role, edit its properties, and remove an existing role from the physical server.
  • View the authentication databases currently existing on the physical server, create a new realm, set the default realm, and remove an existing realm from the physical server.
  • Grant users permissions, i.e. define what rights the users will have within a physical server of virtual environment(s).

Detailed information on how to perform these operations is given in the subsections below.