Changes

Jump to: navigation, search

Understanding and Configuring VMM 2008 User Roles

598 bytes added, 18:46, 29 May 2016
m
Text replacement - "<google>BUY_VMM_BOTTOM</google>" to "<htmlet>vmm</htmlet>"
Microsoft's <table border="0" cellspacing="0" width="100%"><tr><td width="20%">[[Converting VMware Virtual Machine Manager (Machines to Hyper-V using VMM 2008) provides considerable power of control over distributed virtualization environments. With great power, as the saying goes, comes great responsibility. An V2V|Previous]]<td align="center">[[VMM user with full administrative privileges can create, configure and destroy virtual machines and any associated storage at will with 2008 Essentials|Table of Contents]]<td width="20%" align="right">[[Deploying a few mouse clicks. Given unrestrained access to the VMM environment 2008 Self-Service Portal|Next]]</td><tr><td width="20%">Converting VMware Virtual Machines to the wrong person would be nothing short of Hyper-V using VMM 2008 V2V<td align="center"><td width="20%" align="right">Deploying a disaster.VMM 2008 Self-Service Portal</td></table><hr>
 <htmlet>vmm</htmlet>  Microsoft's Virtual Machine Manager (VMM 2008) provides considerable power of control over distributed virtualization environments. With great power, as the saying goes, comes great responsibility. A VMM user with full administrative privileges can create, configure and destroy virtual machines and any associated storage at will with a few mouse clicks. Given unrestrained access to the VMM environment to the wrong person would be nothing short of a disaster. It should come as no surprise, therefore, the that VMM 2008 provides the ability to control which users have access to the management environment, and what they can do once they have gained that access. This is performed using a concept known as ''User Roles''. Roles define what actions can be performed withinm within the VMM 2008 environment. Users are then assigned as members of a role and thereby limited to the actions permitted by that role.
== Types of VMM 2008 User Roles ==
A VMM 2008 user role is based on one of a set of three access levels:
* '''Administrator Role''' - The highest level of access available, members of this role have complete and unrestricted access to all aspect so aspects of the VMM Administrator Console. These users are also able to create new ''Delegated Administrator Roles'' and ''Self-Service User Roles''. Default members of this access level include members of the local Administrators group. There is only one Administrator Role and it is not possible to create more.
* '''Delegated Administrator Role''' - Delegated Administrator roles can be created either by members of the Administrator Role, or by other members of a other Delegated Administratorroles. Members of a delegated administrators group Delegated Administrators role have the same level of access as members of the Administrator Role, but access is restricted to designated hosts, virtual machines and VMM Library Servers which are selected designated at the role creation time.
* '''Self-Service User Role''' - Members of a Self-Service User Role are able to use a VMM Self-Service Portal to perform specific tasks on virtual machines. The permitted actions (such as starting, stopping and removing virtual machines through the portal) are defined during the role creation process and may subsequently be modified by an administrator.
== Creating a New Delegated Administrator Role ==
Selecting a role from the list will result in details about that role, including members, appearing in the ''Details'' pane. In the above figure, for example, details of the Administrator Role are displayed.
A new Delegated Administrator role can be created by clicking on the ''New user role'' link located in the lower section of the ''Actions'' pane located on the right side of the console window. This selection will display the ''Create User Role'' wizard as illustrated below:
Identify the users to be added to the role, separating multiple names with semi-colons if necessary and click ''Check Names'' to valid validate the existence of the users. Click ''OK'' to add the users to the role and click ''Next'' to proceed to the ''Select Scope'' screen. On this screen, select the hosts and libraries for which members of the role are to have permission, followed by the ''Next'' button.
Review the ''Summary'' screen and click ''Create'' to create the new User Role.
 
== Creating a New Self Service User Role ==
VMM 2008 Self-Service User roles may be created by existing members of either the Administrator or Delegated Administrator roles. As with new Delegated Administrator roles, Self-Service User roles are created from the ''Administration'' view of the VMM Administrator Console.
A new Delegated Administrator Self-Service User role can be created by clicking on the ''New user role'' link located in the lower section of the ''Actions'' pane located on the right side of the console window. This selection will display the ''Create User Role'' wizard as illustrated below:
The initial screen requires a name for the new role, an optional description and the type of role (Delegated Administrator or Self-Service User). Select ''Self-Service User'' and click ''Next'' to proceed. The next screen allows the list of members of the role to be defined (new members may be added and existing members removed after the role has been created by following steps outlined later in this chapter). Click the ''Add...'' button to display the Windows Server 2008 ''Select Users, Computers or Groups'' dialog.
Identify the users to be added to the role, separating multiple names with semi-colons and click ''Check Names'' to valid validate the existence of the users. Click ''OK'' to add the users to the role and click ''Next'' to proceed to the ''Select Scope'' screen. On this screen, select the hosts for which members of this new role are to have permission, followed by the ''Next'' button.
The ''Virtual Machine Permissions'' screen shown below controls the actions members of the role are able to perform on virtual machines.
Deselect any permission permissions that are not to be granted to members of the role and click ''Next'' to proceed to the ''Virtual Machine Creation'' settings screen. Self-Service Portal users are only allowed to create new virtual machines if the ''Allow users to create virtual machines'' option on this screen is selected. If selected, users are then only able to create virtual machines from specific templates which are added here. If no templates are specified, users will be unable to create new virtual machines. Detailed information on the creation of virtual machine templates is provided in the [[Creating and Managing VMM 2008 Virtual Machine Templates]] chapter of this book:
The ''Virtual Machine Permissions'' screen also allows a quota point limit to be specified. There is not necessarily a one to one correlation between virtual machines and quota points (although by default VMM does assign one quota point to a virtual machine template). The number of quota points assigned to a virtual machine may be modified in the template by selecting the template from the VMM Administrator Console ''Library'' view, selecting clicking on ''Properties'' from the ''Actions'' pane and choosing selecting the ''Settings'' tab.
The number of quota points which should be assigned to a virtual machine created from a template will depend on the hardware resources configured for that template. A template containing a hardware configuration with large memory and CPU resource requirements, for example, is likely to be assigned a higher number of quota points in order limit the number of virtual machine instances that can be created through the Self-Service Portal. Once the specified quota limit is reached for the Self-Service User role, additional virtual machines cannot be created until enough virtual machines belonging to the user role are shut down to free up the number of quota points required by the new virtual machine.
Clicking ''Next'' proceeds to the ''Library Share'' screen where the the library shares to which members of the role are allowed to store virtual machines is displayed. To prevent users from storing virtual machines in a library, deselect the ''Allow users to store virtual machines in a library'' option.
Finally, click ''Next'', review the ''Summary'' screen and click ''Create'' to create the new Self-Service User role.
== Modifying an Existing User Role ==
The configuration of an existing user role may be modified by right clicking on the desired role from the list in the VMM Administrator Console and selecting ''Properties'' from the menu. This will display the ''User Role Properties'' dialog. The dialog consist consists of a number of different pages which are accessed by clicking on the appropriate tab. The following figure shows the ''VM Permissions'' properties for a Self-Service User role:
[[Image:vmm_self-service_role_properties.jpg|The properties of a VMM 2008 Self-Service user role]]
 
 
Once the required configuration settings have been made, click ''OK'' to commit the changes.
 
 
<htmlet>vmm</htmlet>

Navigation menu