Fotolia
Create SCVMM user roles to define management, tighten security
Using SCVMM user roles provides granular control in a virtual infrastructure. By defining a delegation model, admins also ensure that the infrastructure is more secure.
System Center Virtual Machine Manager provides user roles that virtualization administrators can utilize to define the management scope for a particular IT team, implement a role-based delegation model and protect the SCVMM configuration.
SCVMM is capable of managing Hyper-V, VMware and Citrix virtualization hosts and the entire virtualization stack in a production environment. While SCVMM provides greater flexibility when it comes to management, it can also add complexity.
In a large production environment, for example, you might have different IT teams looking after different aspects of virtualization. Some IT admins might just be responsible for managing a group of VMs in one location, and another group of IT admins for managing configuration in SCVMM. Similarly, you might want a group of IT workers to be responsible for adding and managing Windows Server Update Services servers in SCVMM. Luckily, there are SCVMM user roles to help define this organizational structure.
Five user roles in SCVMM
There are five user roles in SCVMM: administrator, fabric administrator, read-only administrator, tenant administrator and application administrator. Members of each of the aforementioned user roles can perform the tasks that the SCVMM user role profile defines.
However, you can create a new SCVMM user role based on your requirements and set the scope and available actions. Before creating a new SCVMM user role, however, take the following into consideration:
- Each of the five predefined SCVMM user roles consists of a profile that includes a set of tasks that a user who is part of the SCVMM user role can perform.
- Only administrators and delegated administrators can add users to user roles.
- After adding a user to a predefined user role, you need to set the management scope, which you can do by selecting an SCVMM host group or private cloud.
- SCVMM user roles can contain Active Directory users and security groups.
Create user roles in SCVMM
While it's easy to create user roles in SCVMM, the selection depends on your requirements. For example, if you'd like someone to use the SCVMM console just to view the properties of managed virtualization hosts, SCVMM jobs status, and properties of other objects, such as library servers and private clouds, you might want to add the user to the read-only administrator user role.
Similarly, if you'd like someone to manage a group of hosts and perform all the administrative tasks for the hosts, clouds and library servers they are responsible for, you might want to add the users/security groups to the fabric administrator user role.
To create new SCVMM user roles, you need to navigate to Settings in the SCVMM console, expand Security, select User roles and then click on the Create User Role button.
Once you click on the Create User Role button, you need to provide the user role name and description, select the SCVMM user role profile and the members that will be part of the new user role, as well as the scope, networking components, library servers, resources and any actions that the new user role can perform. An example is shown in Figure A below:
When defining the scope for the new user role, select the resources for which the new user role is responsible. If you select the fabric or read-only administrator user role under the profile page when creating the new user role, you'll see a list of SCVMM host groups and private clouds. If you select the tenant or application administrator user role, you'll only see a list of private clouds. Your first step is to ensure you select the correct profile when creating the new user profile.
On the networking page, which is specific to the tenant and application administrator user roles, you need to select the VM networks that you want to make available to the new user role. You can also create a new VM network on this page.
On the actions page, if you select the tenant or application administrator user roles, you can choose specific actions that the new user role can perform. As you can see in Figure A above, you can choose between actions such as author tenant VM networks, create and manage VM checkpoints, pause and resume VMs and services, and so on.
You'll also be asked to make run as accounts available to the new user role so the new user role can perform administrative tasks on managed virtualization hosts.