Beginning with System Center Virtual Machine Manager (VMM) 2008, VMM implements role-based security to provide finer control over who can do what within the virtualized environment. This security model supports delegated administration, which was not available in VMM 2007. Self-service user roles replace the self-service policies that were used to administer virtual machine self-service in VMM 2007.
A user role defines a set of operations (grouped in a profile) that can be performed on a selected set of objects (defined by the user role’s scope). Within that framework, an organization can create delegated administrator roles that allow, for example, a high-level administrator to manage all operations in a New York office, a specialized administrator to manage all library servers, or an advanced user to set up complex virtual environments within a single lab. An organization also can create self-service user roles that allow users to perform a specified set of operations on their own virtual machines.
A user role consists of the following parts:
- A profile defines the set of available operations that a role member can perform.
- The scope defines the set of objects that the operations can target.
- The membership list specifies the Active Directory user accounts and security groups that are assigned to the role.
|When you add a Hyper-V host to VMM 2008 R2, VMM preserves changes to role definitions and role memberships in the root scope of the Hyper-V authorization store. The VMM agent overwrites all changes to other scopes. As a result, while a Hyper-V host is managed by VMM 2008 R2, access is determined by the union of all roles in the root scope plus the VMM role assigned to each virtual machine’s scope.
This is a change from the way that VMM 2008 handles Hyper-V role definitions and scopes. When a Hyper-V host is added to VMM 2008, VMM creates its own authorization store without importing any role and membership settings from initialstore.xml on the Hyper-V computer, and then updates the registry so that Hyper-V points to the VMM authorization store.
For more information, see security considerations for Hyper-V hosts in Hardening Virtual Machine Hosts Managed by VMM.
In role-based security, dynamic collections of instances of objects (such as hosts or virtual machines), known as groups, determine the available targets for a particular operation that a user performs. For example, when a user attempts to start a virtual machine, VMM first checks whether the user has permission to perform the Start action on virtual machines and then verifies that the user has the right to start the selected virtual machine.
These groups are hierarchical: providing access to a particular instance provides access to all instances contained in that instance. For example, providing access to a host group provides access to all hosts within the host group and to all virtual networks on the hosts.
The following illustration shows the hierarchy of instances within the groups that apply to VMM user roles. When a user role provides access to an instance in the outer ring, it automatically provides access to all instances in the inner rings. Virtual machines are pictured separately because the flow of access works somewhat differently for them. For all administrator roles, host group rights flow to all virtual machines that are deployed on the hosts. However, that is not true for members of self-service user roles. The rights of self-service users are limited to virtual machines that they own.
Group hierarchies for role-based security
Role Types in VMM
The following user role types, based on profiles of the same name, are defined for VMM:
- Administrator role—Members of the Administrator role can perform all VMM actions on all objects that are managed by the VMM server. Only one role can be associated with this profile. At least one administrator should be a member of the role.
- Delegated Administrator role—Members of a role based on the Delegated Administrator profile have full VMM administrator rights, with a few exceptions, on all objects in the scope defined by the host groups and library that are assigned to the role. A delegated administrator cannot modify VMM settings or add or remove members of the Administrator role.
- Self-Service User role—Members of a role based on the Self-Service User profile can manage their own virtual machines within a restricted environment. Self-service users use the VMM Self-Service Web Portal to manage their virtual machines. The portal provides a simplified view of only the virtual machines that the user owns and the operations that the user is allowed to perform on them. A self-service user role specifies the operations that members can perform on their own virtual machines (these can include creating virtual machines) and the templates and ISO image files that they can use to create virtual machines. The user role also can place a quota on the virtual machines that a user can deploy at any one time. Self-service users’ virtual machines are deployed transparently on the most suitable host in the host group that is assigned to the user role.
VMM does not support the creation of custom user profiles.
Users can be a member of more than one user role, in which case VMM grants them the rights associated with all their roles.
The following illustration shows a simple schema for delegating administration within a virtualized environment that supports virtual machine self-service.
Sample topology for delegated administration
Members of the Administrator role can perform all VMM actions on all hosts, library servers, and virtual machines that are managed by the VMM server. The actions and scope cannot be changed.
To add members to the Administrator role, expand the User Roles node in Administration view of the VMM Administrator Console, right-click Administrator in the list, and then click Properties.
The following table summarizes the features of the Administrator role.
|Profile||All VMM operations|
|Scope||All objects managed by the VMM server|
|Client access||VMM Administrator Console: Yes
Windows PowerShell – VMM command shell: Yes
VMM Self-Service Portal: No
Delegated Administrator Roles
A delegated administrator role assigns broad administrator rights within a scope that is defined by host groups and library servers assigned to the role. The efficiency with which you delegate administration in VMM depends on careful planning of the host groups and library servers within your virtualized environment. For information about creating Delegated Administrator roles, see How to Create a Delegated Administrator User Role (http://go.microsoft.com/fwlink/?LinkId=162941).
The following table describes the features of delegated administrator roles.
|Profile||The Delegated Administrator profile allows the following operations on objects within the scope of the user role. These operations cannot be changed.
|Scope||n host groups—Administrator rights on all objects within host groups, hosts, and virtual networks contained in the assigned host groups. This includes virtual hard disks, virtual network adapters, SCSI adapters, and so forth configured on virtual machines on the hosts.
n library servers—Virtual hard disks, virtual floppy disks, ISO image files, Windows PowerShell scripts, SysPrep answer files, and VMware templates stored on all library shares on the library servers.
|Client access||VMM Administrator Console: Yes
Windows PowerShell – VMM command shell: Yes
VMM Self-Service Portal: No
Self-Service User Roles
Self-service user roles allow users to manage their own virtual machines—that is, virtual machines for which they are the specified owner—within a restricted environment. Self-service users view, operate, and manage their virtual machines by using the VMM Self-Service Web Portal. The portal provides a simplified view of only the virtual machines that the self-service user owns and the operations that are allowed on each virtual machine. In VMM 2008, self-service users can perform the same operations on the objects within the scope of their user role in the Windows PowerShell – VMM command shell.
A self-service user role defines the operations that the users can perform on their own virtual machines, the templates that they can use to create virtual machines, the host groups in which their virtual machines are deployed, and the library path where the ISO images that they use are stored.
If you have been using virtual machine self-service in VMM 2007, you can automatically convert your existing self-service policies to user roles, retaining the host group structure under which they are administered, when you upgrade to VMM 2008. Many self-service features are implemented slightly differently in user roles than in self-service policies. For a detailed comparison, see Comparison of Self-Service User Roles with Self-Service Policies.
|While managing a Hyper-V host, VMM uses the permissions in the self-service user profiles instead of the role-based access controls that are configured in Hyper-V to authorize operations on virtual machines. For more information, see Hardening Virtual Machine Hosts Managed by VMM.|
The following table describes the features of self-service user roles. For information about creating self-service user roles, see How to Create a Self-Service User Role (http://go.microsoft.com/fwlink/?LinkId=162946).
|Profile||A self-service user role can grant members permission to perform any or all of the following operations on the virtual machines that they own:
|Scope||n host groups—Self-service users’ virtual machines are deployed automatically on the most suitable host in the assigned host groups based on the virtual machine’s requirements and the organization’s placement preferences. This is transparent to the user, who does not know where the virtual machine is deployed.
1 library path—The library path assigned to a self-service user role serves the following purposes:
Self-service users have Read access to the virtual hard disks and ISO image files used during virtual machine creation, but they are not aware of the location of the files.
|Client access||VMM Administrator Console: No
Windows PowerShell – VMM command shell: Yes (within the scope of the self-service user role)
VMM Self-Service Portal: Yes
Access to Virtual Machine Resources
To create virtual machines, self-service users use templates that the VMM administrator assigns to the role. To make ISO images available to self-service users during virtual machine creation, the image files must be stored on the library path that is specified in the user role.
Self-service users can use these resources only through the Self-Service Portal. They have no other access to the files unless the administrator grants permissions through the file system.
As an added security measure, self-service users are not aware of which hosts their virtual machines are deployed on, the location of their virtual machine configuration files, the library path that stores the ISO images that they use, and their stored virtual machines.
Placing a Quota on Users’ Virtual Machines
To limit the volume of virtual machines that members of a self-service user role can deploy at any one time, you can configure a quota for a self-service user role.
A virtual machine quota is simply a value that can be assigned to a self-service user role to limit the volume of virtual machines that role members can deploy at any given time. The quota can apply to all virtual machines deployed by all role members, or it can apply individually to the virtual machines deployed by each role member.
Because virtual machines can vary greatly in the resources that they consume on a host, rather than allocate one quota point for each virtual machine, VMM allows the administrator to assign a specific number of quota points to each virtual machine template based on its requirements. The points apply against the quota while any virtual machine based on the template is deployed—regardless of whether it is running—but not while the virtual machine is stored in the library.
Ownership of Virtual Machines
In virtual machine self-service, a virtual machine has an owner (by default, the user who created the virtual machine) and a self-service user role (by default, the self-service user role under which the virtual machine was created).
The virtual machine’s owner is the only person who can see and perform operations on a virtual machine in the VMM Self-Service Portal.
A self-service user can change the owner of his own virtual machine to any other member of the self-service user role.
If the owner is a member of more than one self-service user role, the user can change the virtual machine owner to any member of his other roles if the following requirements are met:
- The current owner must belong to the self-service user role that is being assigned.
- The virtual machine must be within the scope (host or library path) of that user role.
Sharing Virtual Machines
To enable users to share virtual machines, use a security group to add the users to a self-service user role, and then specify the group as the owner of the virtual machines you want group members to share. When a group member creates a virtual machine, the default owner is the person’s user account. However, the user can reassign ownership to the group. If the virtual machine quota is being applied to individual users, quote points assigned to a group-owned virtual machine apply to the individual quotas of all members of the group.
Administering Virtual Machine Self-Service
To gain access to the VMM Self-Service Portal, a VMM administrator must be a member of a self-service user role. VMM administrators can, of course, perform all operations on virtual machines within the scope of their role in the VMM Administrator Console and in Windows PowerShell – VMM.