One essential characteristics of cloud computing is a self-service mechanism. Both NIST SP 800-145 and Chou’s 5-3-2 Principle have discussed well. The self-servicing capability is essential since not only it reduces support cost fundamentally, but making it easy for a user to consume provided services will continually promote the usage and ultimately accelerate the ROI. In System Center 2012 SP1, App Controller is the self-service vehicle for managing a hybrid cloud based on SCVMM, Windows Azure, and 3rd party hosting services.

This article assumes a reader is familiar with System Center 2012 SP1, and particularly System Center Virtual Machine Manager (SCVMM) and App Controller. Those who are new to System Center 2012 SP1 should first download and install at least SCVMM 2012 SP1and App Controller 2012 SP1 from http://aka.ms/2012 to better follow the presented content.

Role-Based Security Model for Delegating Authority

The concept of a role-based security model in SCVMM is to package security settings and policies on who can do what, and how much on an object into a single concept, the so-called user role. The idea of a user role is to define a job function which a user performs as opposed to simply offering a logical group of selected user accounts.

To delegate authority, a user role is set with tasks, scope, and quotas based on a target business role and assigned responsibilities. The members of a user role are then with the authority to carry out specific tasks on authorized objects for performing a defined business function. For instance, a first-tier help desk support may perform a few specific diagnostic operations on a VM or service, but not debugging, storing, or redeploying it, while a datacenter administrator as an escalation path for the first-tier help desk can do all.  In this case, a help desk support and an escalation engineer are to be defined as two user roles for delegating authority.

User-Role Defined in SCVMM Settings

Operationally, creating a user role is to configure a profile which include membership, scope, resources, credentials, etc. A user role defines who can do what and how much on an authorized resource. And in essence a defined user role is a policy imposed on those who are assigned with this role, i.e. having a membership of this role.

To set up a user role in SCVMM, use the admin console and go to Setting workspace followed by clicking Create User Role from the ribbon as shown below. There are four user roles profiles available in SCVMM 2012 SP1. Each profile includes membership, scope, accessible networks and resources, allowed operations, etc.

1. A Fabric Administrator or a Delegated Administrator can perform all tasks on objects within assigned scope.  This role however can change neither VMM settings, nor the Administrator user role membership. The scope of this role include all services deployed and host groups added into SCVMM admin console.
2. The role, Read-Only Administrator, is intended for auditors. It can view, yet not change object properties and job status within their assigned host groups, clouds, and library servers.  The scope of this role include all services deployed and host groups added into SCVMM admin console.
3. A Tenant Administrator manage self-service users and VM networks. This role can administer including create, deploy, and set quotas on VMs and services. The scope of this role include all services deployed. There is also a list of operations available for this role including authoring VM, service templates, and tenant VM networks. Below is a sample profile showing both operations disabled for this user role currently being configured.



4. A self-service user is now called an Application Administrator. A member of this role can create, deploy, place quotas, and manage VMs and services with tasks/operations allowed for this role. The scope of this role include all services deployed. There is also a list of operations available for this role  including authoring VM and service templates. This role however can not author tenant VM network. Here a sample profile with a number operations disabled for this user role currently being configured.

The self-service model of SCVMM is to employ App Controller and SCVMM admin console as the self-service vehicle and enables an authorized user to self-manage resource consumption based on SLA with minimal IT involvement in the lifecycle of a deployed resource and without the need to expose the underlying fabric which is a key abstraction in cloud computing.

A difference of using App Controller and SCVMM is that the former does not reveal the underlying fabric regardless, while the latter will according to the user role of an authenticated user.

Connect App Controller to Authorized Resources

	Employing App Controller as a self-service vehicle has it advantage to manage not only SCVMM-based private cloud but also resources deployed to Windows Azure and 3rd party hosting services. The process and operation details to establish connectivity with App Controller are already discussed in a primer and not repeated here.
	Since the login user, here an administrator, has multiple user roles, App Controller presents a dropdown list  for the user to specify the user role of this session. And each role signifies that an associated user role profile including security and usage policies is automatically imposed during the session.

New in App Controller on Deployment

In System Center 2012 SP1, there are a number of new operations available for App Controller as documented in http://technet.microsoft.com/en-us/library/jj605414.aspx. These operations as listed below facilitate the migration and deployment of resources among SCVMM-based private clouds, Windows Azure, and 3rd party hosting services.

• Upload a virtual hard disk or image to Windows Azure from a VMM library or network share
• Add a virtual machine to a deployed service in Windows Azure
• Start, stop, and connect to virtual machines in Windows Azure
• Copy a virtual machine from VMM to Windows Azure
• Deploy a virtual machine in Windows Azure to create a cloud service
• Add a Service Provider Framework (SPF) hosting provider connection

Typical User Experiences with App Controller

	Here it shows how to upload a virtual hard disk or image to Windows Azure form a network share. TO upload a VM requires the VM to be in a “stored” state first. The process and steps to store a VM are detailed in System Center 2012 SP1 Explained: Storing VM
	This shows how to deploy a VM with a customized image directly from. App Controller. The process and steps to create and capture an image in Windows Azure are detailed in: TechNet Radio: Virtually Speaking with Yung Chou – How to Create a Virtual Machine using Windows Azure TechNet Radio: Virtually Speaking with Yung Chou – How to Capture an Image of and Attach a Data Disk to a Windows Azure Virtual Machine
	There are now many opportunities and options to manage a Windows Azure VM deployment.

Closing Thoughts

Cloud is here to stay and hybrid is the way to go. Be ready. Learn, master, and take advantage of it. Make profits. Grow a career. Eat well and sleep well while welcoming XaaS, Everything as a Service, which we will have a lot to talk about soon.