There are three user roles in VMM 2008: the Administrator role, the Delegated Administrator role, and the Self-Service User role.. Administrator Role in VMM 2008 Users in the Administrat
Trang 1This page intentionally left blank
Trang 2Using Virtual Machine
Manager 2008 for
Provisioning
Understanding Roles Based Access and Delegation to Provision Vir tual Machines
Managing User Roles
Deploying Vir tual Machines
Migrating a VM
This chapter covers the administrative provisioning and
the delegated provisioning capabilities of Virtual Machine
Manager (VMM) for the creation of guest images This
includes building new images from a template and building
images from other image files
Understanding Roles-Based
Access and Delegation to
Provision Virtual Machines
System Center Virtual Machine Manager 2008 provides a
granular roles-based access control (RBAC) model for
managing administrative permissions Each user role has an
administrative profile that determines which actions the
user can perform User roles are scoped to determine which
VM objects the user can manage
There are three user roles in VMM 2008: the Administrator
role, the Delegated Administrator role, and the Self-Service
User role
Administrator Role in VMM 2008
Users in the Administrator role have full rights to the VMM
infrastructure and can perform all actions in the VMM
Administrator console Administrators can create new
Delegated Administrator and Self-Service User roles Only
members of this role can add additional members to the
Administrator role
Trang 311 Using Vir tual Machine Manager 2008 for Provisioning
The Administrator role is created when VMM is installed for the first time in the domain
The user who installs VMM is automatically added to the Administrator user role during
installation There is only one Administrator user role in each domain
NOTE
Because the Administrator role encompasses the entire VMM infrastructure, this role
cannot be scoped
Delegated Administrator Within VMM 2008
Users who are members of the Delegated Administrator role can perform all actions in the
VMM Administrator console that apply, or are scoped, to them The scope of objects is
defined during the creation of the role
The Delegated Administrator user role does not exist by default There can be zero or more
Delegated Administrator roles in each domain Delegated Administrator roles are created
by users who are members of the Administrator user role
Members of this user role can create new Delegated Administrator and Self-Service User
roles, but only within the scope of objects that applies to them
Self-Service User as a Role in VMM 2008
Members of the Self-Service User role can use the VMM self-service portal to perform
actions on their VMs This role is scoped by a member of the Administrator or Delegate
Administrator role to pertain to a specific set of VM objects
Members of this role cannot manage their role or any other role in VMM They also
cannot create new user roles
NOTE
Members of the Administrator or Delegated Administrator roles cannot access the
self-ser vice por tal unless they are members of one or more Self-Ser vice Uself-ser roles
Managing User Roles
User roles are managed by users in the Administrator or Delegated Administrator role
using the VMM Administrator console User roles are granted access to manage objects in a
defined scope
Managing the Administrator User Role
The administrator role can be used to manage user roles To manage the user roles, do the
following:
1 Open the VMM Administrator console using the shortcut on the Windows desktop
or via the Start menu under Microsoft System Center, VMM 2008, VMM
Administrator console
Trang 4A Connect to Server window may open, prompting for the VMM server to connect
to Enter the server name and connection port (the default is port 8100) using the
format VMMserver:port
NOTE
You may choose to always open a connection to this ser ver by selecting the Make This
Ser ver My Default check box Doing so prevents this connection window from
display-ing when the Administrator console is run
2 Go to the Administration view by clicking the Administration button Then select
User Roles from the view area
3 Select the Administrator user role in the Results pane The current members of the
Administrator user role are displayed in the Results pane below
4 Click Properties in the Actions pane to display the properties of the role
5 The General tab displays the description for the Administrators role Modify it if
desired
6 Click the Members tab The current members are listed, as shown in Figure 11.1
FIGURE 11.1 Managing members of the Administrator user role
Trang 511 Using Vir tual Machine Manager 2008 for Provisioning
7 To remove members from the Administrator user role, select the user to remove and
click the Remove button
NOTE
There must be at least one member in the Administrator user role at all times VMM
will not allow you to remove all members of the Administrator user role
8 To add members to the Administrator user role, click the Add button and enter the
name or names of the users or security groups to add Click the Check Names button
to resolve the users or groups Members must be users or security groups in the
Active Directory where the VMM server is a member or in a domain where a full
two-way trust exists
9 Click OK to close the Administrator Properties window
Creating a Delegated Administrator User Role
The delegated administrator role can be used to manage user roles To manage the user
roles, do the following:
1 Open the VMM Administrator console using the shortcut on the Windows desktop
or via the Start menu under Microsoft System Center, VMM 2008, VMM
Administrator console
A Connect to Server window may open, prompting for the VMM server to connect
to Enter the server name and connection port (the default is port 8100) using the
format VMMserver:port
NOTE
You may choose to always open a connection to this ser ver by selecting the Make This
Ser ver My Default check box Doing so prevents this connection window from
display-ing when the Administrator console is run
2 Go to the Administration view by clicking the Administration button Then select
User Roles from the view area
3 Click New User Role in the Actions pane
4 On the General page, enter the following information:
a User Role Name—Type a name for the Delegated Administrator role.
b Description—Type a useful description for the Delegated Administrator role.
c Profile—Select Delegated Administrator from the Profile drop-down list Click
Next to continue
Trang 65 On the Add Members page, click Add to add new members to the role Enter the
name or names of the users or security groups to add Click the Check Names button
to resolve the users or groups
Members must be users or security groups in the Active Directory where the VMM
server is a member or in a domain where a full two-way trust exists
NOTE
The administrator may choose to not populate the members of the Delegated
Administrator user role at this time Members may be populated after the role is created
Click Next to continue
6 On the Object Scope page, select the objects that members of this group can monitor
The delegated administrator will not be able to view or monitor objects from the
Administrator console that are not selected in this page Click Next to continue (see
Figure 11.2)
7 On the Summary page, carefully review the settings and click Create to proceed with
the creation of the Delegated Administrator role or click Previous to go back and
change the configuration
FIGURE 11.2 Scoping the objects for the Delegated Administrator user role
Trang 7The Create User Role Wizard offers a View Script button This option allows the
adminis-trator to view, modify, and save the PowerShell commands that the wizard will execute to
create the Delegated Administrator role, as shown in the following example:
$AddMember = companyabc\amy
$hostGroup1 = Get-VMHostGroup -VMMServer vmm2008 | where {$_.Path -eq “All
Hosts\Domain Hosts\SF Core Hosts”}
$libServer2 = Get-LibraryServer -VMMServer vmm2008 | where {$_.Name -eq
“VMM2008.companyabc.com”}
$AddScope = $hostGroup1, $libServer2
Set-VMMUserRole -AddMember $AddMember -AddScope $AddScope -VMMServer vmm2008
-Job-Group 06fb48f5-96c7-4133-acc4-cbf58f5fb2e4
NewVMMUserRole Name “SF Core Server Delegated Administrators” Description ““
-UserRoleProfile DelegatedAdmin -JobGroup 06fb48f5-96c7-4133-acc4-cbf58f5fb2e4
This code can be saved and edited to facilitate creating other Delegated Administrator
groups from the VMM command shell
Creating a Self-Service User Role
The Self-Service User role grants users permissions to operate, create, manage, store, create
checkpoints for, and connect to virtual machines (VMs) in their scope using the VMM
self-service portal
1 Open the VMM Administrator console using the shortcut on the Windows desktop
or via the Start menu under Microsoft System Center, VMM 2008, VMM
Administrator console
A Connect to Server window may open, prompting for the VMM server to connect
to Enter the server name and connection port (the default is port 8100) using the
format VMMserver:port
NOTE
You may choose to always open a connection to this ser ver by selecting the Make This
Ser ver My Default check box Doing so prevents this connection window from displaying
when the Administrator console is run
2 Go to the Administration view by clicking the Administration button Then select
User Roles from the view area
3 Click New User Role in the Actions pane
4 On the General page, enter the following information:
a User Role Name— Type a name for the Delegated Administrator role.
b Description—Type a useful description for the Delegated Administrator role.
c Profile—Select Self-Service User from the Profile drop-down list, as shown in
Figure 11.3 Click Next to continue
11 Using Vir tual Machine Manager 2008 for Provisioning
Trang 8FIGURE 11.3 Creating the Self-Ser vice User role
5 On the Add Members page, click Add to add new members to the Self-Service User
role Enter the name or names of the users or security groups to add Click the
Check Names button to resolve the users or groups
Members must be users or security groups in the Active Directory where the VMM
server is a member or in a domain where a full two-way trust exists
Click Next to continue
NOTE
The administrator may choose to not populate the members of the Delegated
Administrator user role at this time Members may be populated after the role is
created
6 On the Object Scope page, select the objects that members of this Self-Service User
role can monitor Click Next to continue
7 On the Virtual Machine Tasks page, configure one of the following:
a Select All Tasks to permit this Self-Service User role to perform all VMM tasks,
as shown in Figure 11.4
Trang 9TABLE 11.1 Self-Ser vice User Vir tual Machine Tasks
Task Description
Star t Allows the user to star t processing of a VM
Stop Allows the user to stop processing of a VM
Pause &
Resume
Allows the user to pause processing of a VM and resume processing after the VM has been paused
Checkpoint Allows the user to manage checkpoints on a VM
Remove Allows the user to delete and discontinue management of a VM from
VMM
Local
Administrator
Grants the user local administrator permission on VMs they create
Remote
Control
Allows the user to connect to and control a VM remotely This is also known as Vir tual Machine Remote Control (VMRC) access
b Select Only Tasks Explicitly Checked in the “Approved Tasks” Grid Table 11.1
lists all the tasks available for the Self-Service User to run
11 Using Vir tual Machine Manager 2008 for Provisioning
8 The VM Creation Settings page provides the option to allow users to create their own
VMs If this right will not be granted, click Next; otherwise, configure the following:
FIGURE 11.4 Configuring the tasks the Self-Ser vice User role can run
Trang 10a Check the Allow Users to Create New Virtual Machines check box to allow
self-service users to do so
b In the Templates pane, click Add to add a new template that the self-service
user can deploy
NOTE
To search for a template, type the complete filename or the first few letters of the
tem-plate name in the Look For box In the Librar y group list, select the librar y group where
the VM files are stored To filter the files by group, click a group type in the Group By
list
c Optionally, the administrator can set a quota for deploying VMs Quotas are
used to limit the number of VMs the users can deploy at one time
9 On the Library Settings page, the administrator can grant members of this
self-service user group access to a library share to store their own VMs To configure this
setting:
a Check the Allow Users to Store Virtual Machines in a Library check box
b Select the VMM Library server to allow users to access If a large number of
library servers are listed, the administrator can type the first few characters of
the library server name in the Look For box to limit the results
NOTE
Stored VMs do not count against the VM quota that may have been set when allowing
self-ser vice users to create a VM
c To specify the Library Path, click Browse and select the share path to allow
access to the Self-service user
NOTE
The librar y path entered can exist at any point under the MSSCVMMLibrar y share For
example, if the Librar y Path is specified as \\VMM2008.companyabc.com\
MSSCVMMLibrar y\VHDs, the self-ser vice user can access that folder and any
subfold-ers, but cannot access the higher-level \\VMM2008.companyabc.com\
MSSCVMMLibrar y folder itself
d Click Next to continue