XenServer 5.6 introduced Role Based Access Control by allowing the mapping of a user (or a group of users) to defined roles (a named set of permissions), which in turn have the ability to perform certain operations. RBAC depends on Active Directory for authentication services. Specifically, XenServer keeps a list of authorized users based on Active Directory user and group accounts. As a result, you must join the pool to the domain and add Active Directory accounts before you can assign roles.

There are 6 default roles: Pool Admin, Pool Operator, VM Power Admin, VM Admin, VM Operator and Read Only - which can be listed and modified using the xe CLI.
Details here: http://bit.ly/2d8uA7C