Understanding and Configuring VMM 2008 User Roles
Microsoft's Virtual Machine Manager (VMM 2008) provides considerable power of control over distributed virtualization environments. With great power, as the saying goes, comes great responsibility. A VMM user with full administrative privileges can create, configure and destroy virtual machines and any associated storage at will with a few mouse clicks. Given unrestrained access to the VMM environment to the wrong person would be nothing short of a disaster.
It should come as no surprise, therefore, that VMM 2008 provides the ability to control which users have access to the management environment, and what they can do once they have gained that access. This is performed using a concept known as User Roles. Roles define what actions can performed within the VMM 2008 environment. Users are then assigned as members of a role and thereby limited to the actions permitted by that role.
Types of VMM 2008 User Roles
A VMM 2008 user role is based on one of a set of three access levels:
- Administrator Role - The highest level of access available, members of this role have complete and unrestricted access to all aspects of the VMM Administrator Console. These users are also able to create new Delegated Administrator Roles and Self-Service User Roles. Default members of this access level include members of the local Administrators group. There is only one Administrator Role and it is not possible to create more.
- Delegated Administrator Role - Delegated Administrator roles can be created either by members of the Administrator Role, or by other members of other Delegated Administrator roles. Members of a Delegated Administrators role have the same level of access as members of the Administrator Role, but access is restricted to designated hosts, virtual machines and VMM Library Servers which are designated at the role creation time.
- Self-Service User Role - Members of a Self-Service User Role are able to use a VMM Self-Service Portal to perform specific tasks on virtual machines. The permitted actions (such as starting, stopping and removing virtual machines through the portal) are defined during the role creation process and may subsequently be modified by an administrator.
Creating a New Delegated Administrator Role
As previously outlined, new Delegated Administrator roles may be created by existing members of either the Administrator Role or a member of another Delegated Administrator role. New Delegated Administrator roles are created from within the VMM Administrator Console (see the chapter entitled A Guided Tour of the VMM Administrator Console for details on how to launch this console).
Once the console is running and connected to the appropriate VMM Server, select the Administration view by clicking on Administration in the view pane located in the bottom left hand corner of the console window. With this view selected, click on the User Roles item in the Administration pane in the top left hand corner. Doing so will display the current list of configured user roles as illustrated in the following figure:
Selecting a role from the list will result in details about that role, including members, appearing in the Details pane. In the above figure, for example, details of the Administrator Role are displayed.
A new Delegated Administrator role can be created by clicking on the New user role link located in the lower section of the Actions pane on the right side of the console window. This selection will display the Create User Role wizard as illustrated below:
The initial screen requires a name for the new role, an optional description and the type of role (Delegated Administrator or Self-Service User). For the purposes of this exercise, select Delegated Administrator and click Next to proceed. The next screen allows the list of members of the role to be defined (new members may be added and existing members removed after the role has been created by following steps outlined later in this chapter). Click the Add... button to display the standard Windows Server 2008 Select Users, Computers or Groups dialog:
Identify the users to be added to the role, separating multiple names with semi-colons if necessary and click Check Names to validate the existence of the users. Click OK to add the users to the role and click Next to proceed to the Select Scope screen. On this screen, select the hosts and libraries for which members of the role are to have permission, followed by the Next button.
Review the Summary screen and click Create to create the new User Role.
Creating a New Self Service User Role
VMM 2008 Self-Service User roles may be created by existing members of either the Administrator or Delegated Administrator roles. As with new Delegated Administrator roles, Self-Service User roles are created from the Administration view of the VMM Administrator Console.
A new Delegated Administrator role can be created by clicking on the New user role link located in the lower section of the Actions pane. This selection will display the Create User Role wizard as illustrated below:
The initial screen requires a name for the new role, an optional description and the type of role (Delegated Administrator or Self-Service User). Select Self-Service User and click Next to proceed. The next screen allows the list of members of the role to be defined (new members may be added and existing members removed after the role has been created by following steps outlined later in this chapter). Click the Add... button to display the Windows Server 2008 Select Users, Computers or Groups dialog.
Identify the users to be added to the role, separating multiple names with semi-colons and click Check Names to validate the existence of the users. Click OK to add the users to the role and click Next to proceed to the Select Scope screen. On this screen, select the hosts for which members of this new role are to have permission, followed by the Next button.
The Virtual Machine Permissions screen shown below controls the actions members of the role are able to perform on virtual machines.
Deselect any permissions that are not to be granted to members of the role and click Next to proceed to the Virtual Machine Creation settings screen. Self-Service Portal users are only allowed to create new virtual machines if the Allow users to create virtual machines option on this screen is selected. If selected, users are then only able to create virtual machines from specific templates which are added here. If no templates are specified, users will be unable to create new virtual machines. Detailed information on the creation of virtual machine templates is provided in the Creating and Managing VMM 2008 Virtual Machine Templates chapter of this book:
The Virtual Machine Permissions screen also allows a quota point limit to be specified. There is not necessarily a one to one correlation between virtual machines and quota points (although by default VMM does assign one quota point to a virtual machine template). The number of quota points assigned to a virtual machine may be modified by selecting the template, clicking on Properties and selecting the Settings tab.
The number of quota points which should be assigned to a virtual machine created from a template will depend on the hardware resources configured for that template. A template containing a hardware configuration with large memory and CPU resource requirements, for example, is likely to be assigned a higher number of quota points in order limit the number of virtual machine instances that can be created through the Self-Service Portal. Once the specified quota limit is reached for the Self-Service User role, additional virtual machines cannot be created until enough virtual machines belonging to the user role are shut down to free up the number of quota points required by the new virtual machine.
Clicking Next proceeds to the Library Share screen where the library shares to which members of the role are allowed to store virtual machines is displayed. To prevent users from storing virtual machines in a library, deselect the Allow users to store virtual machines in a library option.
Finally, click Next, review the Summary screen and click Create to create the new Self-Service User role.
Modifying an Existing User Role
The configuration of an existing user role may be modified by right clicking on the desired role from the list in the VMM Administrator Console and selecting Properties from the menu. This will display the User Role Properties dialog. The dialog consists of a number of different pages which are accessed by clicking on the appropriate tab. The following figure shows the VM Permissions properties for a Self-Service User role: