Back to top

Role Based Access Control

The Role Based Access Control (RBAC) feature allows you to control various operations that can be performed by an administrator. This is essential when multiple administrators are managing the virtual infrastructure. ConVirt RBAC mechanism is designed with having flexibility as well as ease of use.

Out of the box, ConVirt RBAC has the following participants.

  • Entity : An entity. For e.g. Data Center, Server, Server Pool and Virtual Machine etc.
  • Users/Administrators : Each administrator has its own login and password and can belong to one or more user group.
  • User Group : A group of users. Each group has an associated role.
  • Role : A role is a collection of entities and corresponding privileges on that entity.
  • Privileges : Privileges are convenient packaging of individual operations that can be performed on an entity. ConVirt comes with the following pre-packaged privileges.
    • None : No operations allowed on the entity.
    • View : The entity can be viewed.
    • Operator : All operations on an entity are allowed except for being able to create new ones or delete existing ones.
    • Full : All operations including ability to create new entities and remove them.

Privilege propagation

ConVirt allows you to specify privileges for the following entity types

  • Data Center/Site
  • Server Pool level
  • Template Store
  • Template Group

Once the privileges are assigned at these container entities, the contained and the related entities get the same privilege. For example if you have FULL privilege on the Server Pool, you would have FULL privilege on the Servers within that server pool as well as Virtual Machines within those Servers.

When a new entity gets added, all roles get updated to give it the same privilege as it has on the container.

Role Example


Advanced Options If you find the default behavior limiting for some reason, there are few advanced options that you can use. These can be changed by changing the src/convirt/web/convirt/development.ini

  • GRANULAR_USER_MODEL : This option allows setting permissions at individual Servers and Virtual Machine level. When in this mode, the privileges from container to the contained entities will NOT propagate automatically. When a new entity is added, all users having current role would have appropriate privileges on the newly created entity.

  • ADVANCED_PRIVILEGES : This option allows you to create/edit/delete new privileges, define which operation groups and operations are part of it.

  • Using CLI to do customization

There is a good CLI support for this subsystem, you may want to explore it. It is easier to setup custom RBAC scheme, via CLI as it as facilities to perform "create like" on operations groups, privilege etc.

   Users :
       list_users                                 Listing Users
       user_info                                  User Information
       add_user                                   Adds a User
       delete_user -                              Deletes a Usergroup
       change_password                            Change Password
   User Groups :
       list_groups                                List of Groups
       group_info                                 Group Information
       add_group                                  Adds a Usergroup
       delete_group                               Deletes a Group
       add_group_user                             Adds a  User to Group
       remove_group_user                          Delete a  User from Group
       assign_role                                Assign a Role to Group
       list_roles                                 The list of Roles
       add_role                                   Adds a Role
       delete_role                                Deletes a Role
       assign_entity_privilege                    Assign a Privilege for the Role on the Entity
       remove_entity_privilege                    Remove a Privilege for the Role on the Entity
       create_like_role                           Creates a Similar Role
   Privileges :
       list_privileges                            List of Privileges
       add_privilege                              Add Privilege
       delete_privilege                           Deleting a Privilege
   Operation Groups:
       list_opgroups                              List of Operations Groups
       add_opgroup                                Add an Operations Group
       delete_opgroup                             Deletes an Operation Group
       create_like_opgroup                        Creates a similar Operations_Group
       assign_opgroup_privilege                   Assign a Privilege to the Operations Group
       remove_opgroup_privilege                   Removes the privilege of Operations Group
       list_operations                            List of Operations
       add_operation -                            Add an Operation to Operations Group
       remove_operation                           Delete an Operation from Operations Group