Red Hat Virtualization uses roles and permissions to grant or deny users access to resources. This allows the administrator to fine-tune access control. Most RHV users will only be interested in accessing virtual machines, but some may require additional permission to manage them.

Remember the three basic roles for users:

  • UserRole can connect to and use virtual machines through the User Portal. This role can start, stop, and suspend virtual machines, but cannot modify their configuration. This role is suitable for someone controlling or accessing the console of existing virtual machines through the web interface.
  • PowerUserRole can create virtual machines and view virtual resources. This is suitable for a user who may create and work with their own virtual machines but who does not need access to virtual machines managed by other users.
  • UserVmManager can edit or remove a virtual machine, assign user permissions, use snapshots and use templates. This role is suitable for an administrator of a virtual machine. It is automatically set on a new virtual machine for the user who created it.

The UserVmManager role is interesting because it can be set on a single virtual machine to give a user administrative control of just that virtual machine. It can also be set on a cluster to give a user the ability to manage all virtual machines in that cluster. Note that the role has limited permission to make infrastructural changes to the cluster (unlike ClusterAdmin).

NOTE: If you have UserRole on a virtual machine, you can see the virtual machine in User Portal and you can start or stop that machine. You cannot create new virtual machines or edit or delete existing ones. Also, if you only have UserRole, then you can only see User Portal’s Basic mode.

If you have UserVmManager on a virtual machine, you have full control of that virtual machine in User Portal, and you can edit its configuration or even delete it. You can also see User Portal’s Extended mode.

If you have only PowerUserRole, you can use Extended mode and create machines in User Portal, and you’ll be able to see your own virtual machines because you automatically get UserVmManager on machines you create. You are not able to see virtual machines created by other users unless you also have at least UserRole. If an administrator removes your UserVmManager role on the virtual machines you created, and you don’t have UserRole on those virtual machines, only PowerUserRole, then you are no longer able to see your machine in User Portal.

Advanced user roles provide further control over virtual machine management. For example, UserTemplateBasedVm on a cluster allows a user to create virtual machines from templates in that cluster. Review Chapter 4, Managing User Accounts and Roles for more information on advanced user roles.

All three basic administrator roles, SuperUser, ClusterAdmin, and DataCenterAdmin, provide full control over virtual machines in the role’s scope for that administrator.

To add a role on a specific virtual machine for a particular user:

  1. Click the Virtual Machines tab and select the appropriate virtual machine.
  2. Click the Permissions tab in the lower part of the screen.
  3. Click the Add button to add a user with an associated role.
  4. Choose the appropriate source for your users.
  5. On the list of your RHV users, select the check box of the user you want to assign the permission.
  6. In the lower part of the window, select the drop-down list and choose the appropriate role for that user.
  7. Click the OK to confirm.

The user’s name and role displays in the list of users permitted to access this virtual machine. The procedure can be used to add permissions to any type of available resource in your RHV environment.

To revoke roles for a user on a virtual machine, follow this procedure:

  1. Click the Virtual Machines tab and select the appropriate virtual machine.
  2. Click the Permissions tab in the lower part of the screen.
  3. Choose the appropriate user and role from the list of permissions, and click the Remove button.
  4. Confirm by clicking the OK button.

NOTE: It is not possible to use the web interface to remove from an object any roles and permissions that a user has inherited from a higher-level object. For example, if a user has ClusterAdmin on a cluster containing a virtual machine, you cannot remove the inherited ClusterAdmin role for that user from only one virtual machine. You must remove the role for that user from the cluster.