Role Based Access Control For VMM

by [Published on 10 May 2017 / Last Updated on 10 May 2017]

At one time, it was normal for IT pros to be generalist. Each person on the IT team was responsible for knowing the ins and outs of anything that the organization had deployed.

Members of the IT staff were responsible for ongoing management, maintenance, and repairs of all things IT related. Although this type of situation might still exist in some smaller companies, it is becoming far less common. IT is much more complex than it once was, and IT pros are increasingly specialized. Rather than being responsible for all things IT related, IT pros commonly focus on specific tasks or technologies.

The specialization of IT requires a new way of thinking about permissions. No longer do IT pros receive full, unrestricted access to everything that the company owns. Instead, access tends to be much more compartmentalized.

In some cases, setting up compartmentalized access to IT resources can pose a bit of a challenge. After all, some management tools are designed under the assumption that the person who will be using the tool will have the appropriate level of permissions. In the case of System Center Virtual Machine Manager however, it is possible to delegate administrative authority through the use of Role Based Access Control. Role Based Access Control allows administrators to configure the Virtual Machine Manager console in a way that allows members of the IT staff to perform their delegated responsibilities, but without giving them excessive permissions in the process.

To configure Role Based Access Control within System Center 2016 Virtual Machine Manager, open the Virtual Machine Manager console, and then select the Settings workspace. Next, click on the User Roles container, which you can see in the figure below.

 Image


Role Based Access Control is configured through the console’s User Roles container.

As you look at the figure above, you will notice that the User Roles screen contains columns labeled Name, Description, Profile Type, and Parent User Role. Right now, there is only one entry on this screen – the Administrator role.

The Administrator role is just that – a role. It is not an account. The easy way of thinking of a role within Virtual Machine Manager is that it is similar to a security group. Like a security group, members are assigned to a role, and those members are given permissions that are appropriate for the role’s intended purpose.

If you look at the figure below, you will see the properties screen for the Administrator role. The screen’s Name and Description tab is selected by default. This tab contains the name of the role (Administrator), a role description, the user role profile, and a description of the profile. In case you are wondering, the user role profile establishes what role members can and cannot do.

Image
 
The Name and Description tab provides basic information about the role.

The role properties dialog box also contains a Members tab, which you can see in the figure below. Role members inherit the permissions that exist within the user role profile.

 Image


User accounts are assigned to a role as role members.

The subject of user role profiles has come up a couple of times in this article, and yet if you look back at the very first figure in this article, you will notice that the Settings workspace does not include a container for User Role Profiles. That’s because user role profiles are something that is hard coded into Virtual Machine Manager, and is not something that you can configure. As an administrator, you can create and edit user roles, and user role profiles can be assigned to user roles, but you can’t edit the user role profiles themselves.

The Administrator role that I showed you a moment ago is built into Virtual Machine Manager by default. If you want to create additional user roles, then you can do so by selecting the User Roles container, and clicking the Create User Role button. This causes Virtual Machine Manager to launch the Create User Role Wizard.

The wizard’s first screen asks you to enter a name and an optional description of the role that you are creating. It is a good idea to enter a meaningful description that spells out exactly why the role exists, and what role members will be allowed to do.

Click Next, and you will be taken to the wizard’s Profile screen. The Profile screen, which you can see in the next figure, lists the user role profiles that are built into Virtual Machine Manager. The user role that you are creating will have the same abilities as the profile that you associate with the role. The available profiles include:

•    Fabric Administrator (Delegate Administrator) – A Delegated Administrator can perform all tasks within the assigned scope, but cannot add or remove users from the Administrator role.
•    Read-Only Administrator – A Read-Only Administrator can browse the Virtual Machine Manager console, but can not create or modify any objects. This role is commonly used for training purposes.
•    Tenant Administrator – A Tenant Administrator has administrative permissions for their own area of a multi-tenant deployment. They also have the ability to manage self service users.
•    Application Administrator (Self-Service User) – An application administrator is similar to a Tenant Administrator in that they are essentially an administrator over a specific set of resources in a multi-tenant environment. They can create and manage virtual machines and services, but cannot manage self-service users.

Image
 
These are the user role profiles that are available.

Click Next, and you will be taken to the wizard’s Members screen. This screen lets you add users to the role. Of course you also have the option of adding or removing members later on.

The next screen that you will see is the Scope screen. The Scope screen lets you determine which objects the role members will be able to manage. You will only be able to define a scope if VMM has been provisioned with multiple clouds.

Click Next, and the wizard will display the Networking screen. This screen lets you select the VM networks that role members are allowed to use. Similarly, the Resources screen, which is the next screen that the wizard displays, lets you specify the resources that role members are allowed to use.

Click Next, and you will see the wizard’s Permissions screen. I explained earlier that the user role profile is the mechanism that determines what role members are allowed to do. While this statement is true, it is possible to configure permissions on a more granular level. The user role profile is made up of a collection of permissions. The Permissions screen, which you can see below, gives you the ability to enable or to disable individual permissions within the user role profile’s permission set.

 Image


You can assign granular permissions to a user role.

Click Next, and you will see a summary of the configuration options that you have selected for the new role. If the information on the Summary screen looks good, you can click Finish to create the role.


Conclusion

Role Based Access Control is useful for situations in which an administrator wants to delegate a particular administrative task, or set of tasks. In doing so, the permissions model is set up so that user’s can be granted very granular sets of permissions.


See Also


The Author — Brien M. Posey

Brien M. Posey avatar

Brien Posey is an MCSE and has won the Microsoft MVP award for the last few years. Brien has written well over 4,000 technical articles and written or contributed material to 27 books.