oVirt / Red Hat Virtualization environment has a variety of preconfigured roles. Users in the internal or external domain can
be assigned multiple roles at multiple levels in the oVirt/RHEV hierarchy. The roles listed in this article can be used to better manage user access and to delegate administrative authority in Virtualization environment. This enables you to limit access to admin@internal
account while being able to properly track and manage users for compliance.
These roles that comes with the virtualization platform can be categorized in to two types of roles:
1. Administrative roles
Users with Administrative roles can access the Administration Portal and perform operations from there. By assigning less comprehensive roles to appropriate users, you’ll be able to offload administrative tasks.
SuperUser Role
- A user assigned this role has full permissions across all objects and levels in your oVirt/RHEV environment
- This role is assigned to admin@internal automatically
- This role is fit for engineers with the responsibility of managing the Virtualization environment
ClusterAdmin
- A user assigned this role will have administrative permissions for all resources in a specific cluster.
- Fit for cluster administrators for specific clusters.
- Users with this role assigned to one or more clusters are able to administer these clusters and their resources
- User with this role can administer, but cannot create new clusters.
DataCenterAdmin
- A user with this role has administrative permissions across all objects in a specific data center, except for storage
- Meant for data center administrators for specific data centers
- Users with this role cannot manage storage resources in data center, this is managed by a StorageAdmin.
StorageAdmin
- Contains all permissions required by a storage administrator
- A user assigned this role can create, delete, and manage assigned storage domains
NetworkAdmin
- Contain permissions required by a network administrator
- A user is assigned this role can create, edit, and remove the networks of an assigned data center or cluster
VmImporterExporter
- This role represents the permissions of an import and export administrator
- Users with this role can import and export virtual machines
TemplateAdmin
- It represents permissions required by a virtual machine template administrator
- Users with this role can create, configure, and delete storage domains and network details of templates
HostAdmin
- Contain permissions for a host administrator
- Enable users to attach, configure, remove, and manage a host
GlusterAdmin
- Permissions required for a Gluster Storage administrator
- Users assigned this role can create, remove, and manage Gluster storage volumes.
2. User roles
Users assigned user roles have access to the VM Portal. Roles that fall in this category are:
PowerUserRole
- A user assigned this role can create and manage virtual machines and templates at their assigned level, e.g within data center scope.
- This role allows users to self-service their own virtual machines
- A user will not be able to see virtual machines created by other users, unless at least UserRole is assigned on those machines
UserRole
- With this role, a user can log in to the VM Portal – to see the virtual machine, start or stop that machine.
- Users with this role cannot create new virtual machines, or edit or delete existing ones.
UserVmManager
- Users with this role can manage virtual machines, create and use snapshots for the VMs they are assigned
- Basically a user have full control of the virtual machine in VM Portal
- A user is automatically assigned this role on a new virtual machine that user creates using the VM Portal
VmCreator
- This role gives the user permission to create virtual machines using the User Portal.
- Users assigned this role are able to create virtual machines from VM Portal
TemplateCreator
- This role enables users to create, edit, manage, and remove templates
DiskOperator
- This role gives the user privileges to manage virtual disks – use, view, and edit virtual disks
UserTemplateBasedVm
- It gives the user limited privileges to use only the virtual machine templates – create virtual machines based on templates
DiskCreator
- This roles enable users assigned it to create, edit, manage, and remove virtual disks within the assigned part of the environment
TemplateOwner
- This role gives the user privileges to edit and remove templates
VnicProfileUser
- This role gives the user permission to attach or detach network interfaces from logical networks
Conclusion
These default roles cannot be changed or removed, but it is possible to clone them for customization. More information is available in the oVirt / RHEV administration documentation pages on how to clone and customize default roles, or create entirely new roles.
Other guides on oVirt / RHEV administration: