For many environments, the Virtual Machine Manager 2008 R2’s self-service portal is very useful.  It provides day-to-day users of your virtualization farm the ability to access their virtual machines and do key actions like start, stop, create checkpoint, and many other tasks.  They can do this only when presented the appropriate rights (via user role, ironically, called Self-Service User).

So you’ve decided to dive in feet first and build out your infrastructure and give your end-users the ability to create new Virtual Machines.  You’ve done your homework and determined that in order to create virtual machines the end-user must be a member of a role that has access to a virtual machine template.  A template, which comprises together a hardware profile & os configuration profile, makes up the virtual “hardware” and Windows configuration.  You’ve done this…

Houston:  We certainly have a problem… User alert – angry, not working

We’ve all had that person, that teammate, who you’ve sent an email notification too that they are all set.  You’ve created the template, added it to a role, and then added their user account to that role.  In fact, you’ve even gone one step further and created the VM for them and assigned them as owner.  You quickly received a message from the end-user saying “I can’t see the VM you created for me in the self-service portal…”

You’ve checked your dots and crosses (ya know, for your i’s and t’s) but it doesn’t matter.  They still swear that when they access the portal they do not see this template you just created for them.

Beat’s me…

Host Group Permissions:  Don’t forget them…

For a lot of environments, you might make use of a flat hierarchy for the Host Groups.  However, as the years progress and your virtualization investment grows you will quickly learn that organizing is your friend.  In VMM, this is done through the Host Groups view in the Virtual Machine Manager. 

image

This will make it nice for you to manage your view of your empire, um, I mean virtualization hosts.

When you start breaking it out into folders, with hosts existing in various different folders, you’ve now created a security boundary by which you can easily provide rights too.  For example, why do India-based employees need access to templates created for Redmond-based physical hosts.  The same goes for Vice Versa.

When you are providing permissions for a “role” that is based on self-service rights, you need to pay close attention to the following:

image In the above example, let’s walk through the experience that can break you…

Step-by-Step Use of Self-Service Portal with Host Groups

For this, I’m going to walk you through the typical scenario that breaks your self-service experience until you correct it.

  1. Open Virtual Machine Manager
  2. Click Libraryimage
  3. Verify that you have an existing template to use, or, click New Template
  4. Now click Administration
  5. Click User Roles
  6. Select the user role by double-clicking on the role nameimage
  7. Click Scope
  8. Uncheck access to one of your physical host groups, in my case Redmondimage image
  9. Now, open up the self-service portal and login
  10. You will see absolutely no virtual machines – arghh!

image

Owner Rights

The above problem was created by my user account having complete self-service rights and full ownership of virtual machines but no rights to “Scope” that these templates were applicable too.  This is by design.

image As you can see above, I removed my self-service user role from having access to Redmond physical hosts.  In order to correct this problem, I open the User role again and grant this role permissions -

image If I now check the self-service portal again, I will now have a template that is shown because I have access to physical hosts that match the template:

image

Summary

You might be asking yourself, well, isn’t this obvious.  Yes, it is now that we know it.  It is just a little “gotcha” that got me recently where I knew for a fact that the user role was configured properly but the end-user could not see their machines.  It was very frustrating.  You now know the importance of “Scope” when you are creating your user roles.  Keep ‘sain my friends…I sure didn’t!

Thanks,

-Chris

Digg This