VDI Security - Role Based Delegation

  • Article

System Center Virtual Machine Manager (VMM) 2008 implements role-based security to provide finer control over who can do what within the virtualized environment. This new security model supports delegated administration, which was not available in VMM 2007. Self-service user roles replace the self-service policies that were used to administer virtual machine self-service in VMM 2007.

A user role defines a set of operations (grouped in a profile) that can be performed on a selected set of objects (defined by the user role’s scope). Within that framework, an organization can create delegated administrator roles that allow, for example, a high-level administrator to manage all operations in a New York office, a specialized administrator to manage all library servers, or an advanced user to set up complex virtual environments within a single lab. An organization also can create self-service user roles that allow users to perform a specified set of operations on their own virtual machines.

A user role consists of the following parts:

  • A profile defines the set of available operations that a role member can perform.
  • The scope defines the set of objects that the operations can target.
  • The membership list specifies the Active Directory user accounts and security groups that are assigned to the role.

Role Types in VMM

The following user role types, based on profiles of the same name, are defined for VMM:

  • Administrator role—Members of the Administrator role can perform all VMM actions on all objects that are managed by the VMM server. Only one role can be associated with this profile. At least one administrator should be a member of the role.
  • Delegated Administrator role—Members of a role based on the Delegated Administrator profile have full VMM administrator rights, with a few exceptions, on all objects in the scope defined by the host groups and library that are assigned to the role. A delegated administrator cannot modify VMM settings or add or remove members of the Administrator role.
  • Self-Service User role—Members of a role based on the Self-Service User profile can manage their own virtual machines within a restricted environment. Self-service users use the VMM Self-Service Web Portal to manage their virtual machines. The portal provides a simplified view of only the virtual machines that the user owns and the operations that the user is allowed to perform on them. A self-service user role specifies the operations that members can perform on their own virtual machines (these can include creating virtual machines) and the templates and ISO image files that they can use to create virtual machines. The user role also can place a quota on the virtual machines that a user can deploy at any one time. Self-service users’ virtual machines are deployed transparently on the most suitable host in the host group that is assigned to the user role.

For furhter information please refer to Role Based Security in VMM