Understanding and Configuring VMM 2008 User Roles
Microsoft's Virtual Machine Manager (VMM 2008) provides considerable power of control over distributed virtualization environments. With great power, as the saying goes, comes great responsibility. An VMM user with full administrative privileges can create, configure and destroy virtual machines and any associated storage at will with a few mouse clicks. Given unrestrained access to the VMM environment to the wrong person would be nothing short of a disaster.
It should come as no surprise, therefore, the VMM 2008 provides the ability to control which users have access to the management environment, and what they can do once they have gained that access. This is performed using a concept known as User Roles. Roles define what actions can performed withinm the VMM 2008 environment. Users are then assigned as members of a role and thereby limited to the actions permitted by that role.
Types of VMM 2008 User Roles
A VMM 2008 user role is based on one of a set of three access levels:
- Administrator Role - The highest level of access available, members of this role have complete and unrestricted access to all aspect so the VMM Administrator Console. These users are also able to create new Delegated Administrator Roles and Self-Service User Roles. Default members of this access level include members of the local Administrators group.
- Delegated Administrator Role - Delegated Administrator roles can be created either by members of the Administrator Role, or by other members of a Delegated Administrator. Members of a delegated administrators group have the same level of access as members of the Administrator Role, but access is restricted to designated hosts, virtual machines and VMM Library Servers which are selected at the role creation time.
- Self-Service User Role - Members of a Self-Service User Role are able to use a VMM Self-Service Portal to perform tasks on virtual machines. The permitted actions (such as starting, stopping and removing virtual machines through the portal) are defined during the role creation process and may subsequently be modified by an administrator.
Creating a New Delegated Administrator Role
As previously outlined, new Delegated Administrator roles may be created by existing members of either the Administrator Role or a member of another Delegated Administrator role. New Delegated Administrator roles are crated from within the VMM Administrator Console (see the chapter entitled A Guided Tour of the VMM Administrator Console for details on how to launch this console).
Once the console is running and connected to the appropriate VMM Server, select the Administration view by clicking on Administration in the view pane located in the bottom left hand corner of the console window. With this view selected, click on the User Roles item in the Administration pane in the top left hand corner. Doing so will display the current list of configured user roles as illustrated in the following figure:
Selecting a role from the list will result in details about that role, including members, appearing in the Details pane. In the above figure, for example, details of the Administrator Role are displayed.
A new Delegated Administrator role can be created by clicking on the New user role link located in the lower section of the Actions pane located on the right side of the console window. This selecting will display the Create User Role wizard as illustrated below: