Microsoft’s Hyper-V alone really doesn’t allow for express policy- or role-based administrative control over specific virtual machines on a virtual host (or hosts). Even with Windows 2008 Hyper-V alone, such control wasn’t possible. In effect, if the administrator of a specific virtual machine was not an administrator of that machine’s virtual host, he/she couldn’t, for example, power up an accidently shut down machine, add an ISO to the virtual DVD drive, or access the VM’s Windows PowerShell command shell.

While adding in System Center Virtual Machine Manager (VMM) 2007 to Hyper-V allowed for limited self-service policies, the release of VMM 2008 (and the even more-improved VMM 2008 R2) realized role-based security to provide finer control over who can do what within the virtualized environment. This new security model supports delegated administration, which was not available in VMM 2007. Self-service user roles replace the self-service policies that were employed to administer virtual machine self-service in VMM 2007.

A user role defines a set of operations (grouped in a profile) that can be performed on a selected set of objects (defined by the user role’s scope). Within that framework, an organization can create delegated administrator roles that allow, for example, a high-level administrator to manage all operations in an Indianapolis office, a specialized administrator to manage all library servers, or an advanced user to set up complex virtual environments within a single lab. An organization also can create self-service user roles that allow users to execute a specified set of operations on their own virtual machines.

A user role consists of the following key parts:

·         A profile defines the set of available operations that a role member can perform.

·         The scope defines the set of objects that the operations can target.

·         The membership list specifies the Active Directory user accounts and security groups that are assigned to the role.

According to Microsoft’s TechNet site, the following user role types, based on profiles of the same name, are defined for VMM :

·         Administrator role—Members of the Administrator role can perform all VMM actions on all objects that are managed by the VMM server. Only one role can be associated with this profile. At least one administrator should be a member of the role.

·         Delegated Administrator role—Members of a role based on the Delegated Administrator profile have full VMM administrator rights, with a few exceptions, on all objects in the scope defined by the host groups and library that are assigned to the role. A delegated administrator cannot modify VMM settings or add or remove members of the Administrator role.

·         Self-Service User role—Members of a role based on the Self-Service User profile can manage their own virtual machines within a restricted environment. Self-service users use the VMM Self-Service Web Portal to manage their virtual machines. The portal provides a simplified view of only the virtual machines that the user owns and the operations that the user is allowed to perform on them. A self-service user role specifies the operations that members can perform on their own virtual machines (these can include creating virtual machines) and the templates and ISO image files that they can use to create virtual machines. The user role also can place a quota on the virtual machines that a user can deploy at any one time. Self-service users’ virtual machines are deployed transparently on the most suitable host in the host group that is assigned to the user role.

If you do have in-place, role-based administration set up in VMM 2008 and upgrade to VMM 2008 R2, VMM 2008 R2 preserves changes that you make to role definitions or role memberships in the root scope of the Hyper-V authorization store. All changes to any other scope are overwritten every half hour by the VMM user role refresher. This differs from user role processing in VMM 2008. In VMM 2008, VMM determines access to virtual machines, hosts, and resources based only on the rights and permissions associated with VMM user roles. VMM 2008 does not make any changes to Hyper-V role definitions and role memberships. It just ignores the Hyper-V authorization store while the hosts and virtual machines are under its management.