about_VMM_2012_Role_Based_Security
Applies To: System Center 2012 R2 Virtual Machine Manager
about_VMM_2012_Role_Based_Security
TOPIC
about_VMM_2012_Role_Based_Security
SHORT DESCRIPTION
Provides an overview of role-based security in Virtual Machine Manager
(VMM) for System Center 2012 and the VMM command-line interface.
LONG DESCRIPTION
VMM for System Center 2012 adds private cloud management capabilities to
Delegated Administrator user roles, introduces Read-only Administrator
user roles, and enhances the capabilities granted to Self-Service User
user roles. The following summarizes new and existing capabilities of each
user role in VMM for System Center 2012.
- Administrator. Members of the Administrator user role can perform all
administrative actions on all objects that VMM for System Center 2012
manages.
- Delegated Administrator. Members of Delegated Administrator user roles
can perform all administrative tasks of a full administrator within their
assigned host groups, private clouds, and library servers. VMM for System
Center 2012 grants the following new capabilities to delegated
administrators:
- Create Self-Service User roles for their assigned private clouds.
- Configure update baselines, and scan and remediate updates on host
groups and library servers that are within the scope of their user
role.
- Provision Hyper-V hosts from bare-metal computers.
- Configure storage resources within their assigned host groups by
discovering and importing storage information from storage arrays and
pools, classifying storage, and allocating LUNs and storage pools to
host groups.
- Provision network resources by configuring logical networks, IP address
pools, MAC pools, load balancers, and virtual (VIP) templates.
Delegated administrators can also provision virtual networks, and
virtual and physical network adapters within their assigned host
groups. For more information about virtual networking, see
about_VMM_2012_VirtualNetworking.
- Read-Only Administrator. Members of the new Read-Only Administrators user
role can view status, job status, and properties of objects within their
assigned host groups, private clouds, and library servers. However, Read-
Only Administrators cannot perform actions on these objects. The user
role specifies the templates, profiles, and Run As accounts that the
Read-only administrator can view. Read-only administrators can see the
account names associated with assigned Run As accounts, but do not have
access to the passwords.
- Self-Service User. Members of Self-Service User roles create, deploy, and
manage their own virtual machines and services by using the VMM console
or a Web portal. The user role specifies the private clouds to which
their virtual machines and services are deployed and the actions that the
users can take; grants access to logical and physical resources in the
library and on their own user data paths; sets quotas on virtual machines
and computing resources; and specifies whether PRO tips can be viewed and
implemented. VMM for System Center 2012 grants the following new
capabilities to self-service users, such as deploying virtual machines to
clouds and the ability to share the resources they own with other self-
service users. For more information about the capabilities of self-
service users, see "Configuring Self-Service in VMM" in the TechNet
Library at https://go.microsoft.com/fwlink/?LinkID=212405.
Creating and Managing User Roles
You can create a new user role through the VMM command shell by using
the New-SCUserRole cmdlet. To update user roles, use the Set-SCUserRole
cmdlet.
In VMM for System Center 2012, you can use the Get-SCUserRoleMembership
cmdlet to get information about the user roles for a specified user.
SEE ALSO
about_VMM_2012
about_VMM_2012_Cmdlet_and_Parameter_Name_Mapping
about_VMM_2012_Cmdlet_Backward_Compatibility
about_VMM_2012_Run_As_Accounts
New-SCUserRole
Set-SCUserRole
Get-SCUserRoleMembership