With VMWare and vCenter, I'm used to creating folders in a filesystem manner to delegate permissions to users within the organization. For example, I might create a folder named QA, place all the QA VM's within that folder, and allow the QA Active Directory group to only have console access to this VM (unable to change it). I'm now evaluating HyperV R2 with VMM 2008 R2 and I can't find any such functionality. I've found "User Roles", but that seems to be more of a host-level solution, not VM or folder-level. Does such functionality exist yet within HyperV/VMM?
Asked
Active
Viewed 3,004 times
1 Answers
1
In Hyper-V you normally keep all the VHD files together in a central folder that normal users have no access to. It's a different way of securing the system; complete separation of hosts from users. Because of that users who will be creating and modifying VMs have to have some kind of administrative access to the Hosts, and that either covers the whole machine (as is common for IT type staff) or through a role in VMM (through either SSP or Administrative Delegation).
An example configuration might be that you have QA VMs for testing. The QA users need to be able to create a new VMs based on a simple base server, do their testing, and either save the machine for more extensive testing or scrub it.
You create a Role for the QA Group, making it a SSP User Role. Then create a VM template, basically a syspreped VM, which can be made from an existing VM by cloning it them making a template from the clone (the templating process destroys the source VM). You then assign the template to the QA group. QA Users can now create VMs based on this template, the new VMs will belong to QA and the QA users will be allowed full access to them (or limited access, depends on the settings in the SSP User Role you setup).
You can also assign ownership of existing VMs to that user group, which can then have access to the VM through SSP (again subject to the restrictions imposed by the User Role granting that group access).
In this example the QA users need no rights to the VHD files, no rights on the Host machines, and only limited rights in AD & VMM. This would not allows them to use the VMM Admin Console, but that is meant for Admins, not Users.
Alternatively, you can delegate administrative control of certain machines to particular users. If there is a QA testings Host, and they will not be running their VMs on the "main" cluster; you can delegate administrative control of that Host (through a Host Group) to the QA Users. This would allows users of the QA group to use the VMM Admin Console and have full administrative control of that particular host group. The same sort of delegation can be applies to Libraries, allowing for a QA library separate from the "main" library.
I'm sure this is all as clear as mud to someone who hasn't used it extensively; feel free to ask as many questions as you want to help clear this up.
(Full Disclosure: I work for a MS Gold Partner, we build these sorts of systems)
Chris S
- 77,337
- 11
- 120
- 212
-
When I mentioned a folder, I meant it in the VMWare term of the OU-like method of grouping similar VMs together. My end goal is to have multiple types of VMs on one physical host, group them according to their role and who should have access to them, and then assign permissions to the group. This way, I can easily drag machines in and out of groups to change permissions on that machine. For instance, perhaps I want Engineering to be able to modify the amount of memory that their VMs have, but QA should only be able to power on/off and take snapshots. http://www.vmware.com/pdf/vi3_vc_roles.pdf – Dan Aug 16 '10 at 19:22
-
Ok. Hyper-V doesn't have permissions groups for VMs because it relies on AD for those groups. So you'd create the group in AD, assign the VMs' owner to that Group, then assign users of that VM to that Group (or best practice, assign users to Global Groups, and use Domain Local group for the groups that the VMs are owned by). – Chris S Aug 16 '10 at 19:49
-
Ohhh... I see.. that's kinda ugly :( And not granular at all (I can't say Group A can only power on/off and view console, while Group B can also take snapshots). Is that the only way to do VM-level permissions with HyperV? – Dan Aug 16 '10 at 20:06
-
Well you could have a Group A (all users) and have the VM belong to that group. Group A would have rights to connect to the VM only. Then Group P (users who can power on/off) and make a User Role that matches that; and Group S (snapshot users) with a User Role matching that. Then dump the actual user accounts into each group they should belong in. If you want to get real granular on each VM; it's going to take a bit to setup all the various groups; but the groups usually follow some business function, and there are existing groups that can be reused. – Chris S Aug 17 '10 at 00:07