Udostępnij za pośrednictwem


User Role Management and Self-Service in SCVMM 2008 Beta

One of the key new investments in SCVMM 2008 is a significantly improved User Role Management. In other products, you may see the same concept referred as Role Base Access Control (RBAC) or other terms.

In a nutshell, comparing with the two user roles (Administrator and Self-Service user) we have in SCVMM 2007, we now support full role configuration by allowing further customization on the scope (what objects you can manage) and the profile (what actions you can take on the objects you have rights to manage). Here is how we define "user role" (by the way, this concept is similar to how SCOM defines it):

 

Based on this definition, in this new role model, we have three types of user role:

  1. Administrators
    • No scope customization available, Administrators have access to all objects
  2. Delegated Administrators
    • Can be limited to one or more host groups including all child objects
    • Can be limited to one or more Library servers including all child objects
  3. Self-Service Users
    • Can be limited to a single host group where new virtual machines may be created
    • Can be limited to a single Library share where new virtual machines can be stored
    • Can be limited to specific templates to use for new virtual machines

The new profile for "delegated administrators" allow users to divide their virtualization resources into segments and assign full administration rights to separate administrators who manage those separate segments. The user can even decide to further segment the resources by creating new delegated administrators that manages parts of the segmented resource groups. This functionality can be very useful in a geographically disparsed administration scenario, as well as for an environment where Dev/Test/Production are strictly managed by different groups with requirements for a centralized resource management console.

And the following diagram shows how the three types of user profiles differ from one another in terms of their scopes and profiles:

 

 

Here are some additional notes on how to manage self-service users :

  • Configure available actions
    • Independently allow/disallow basic actions like start, stop, pause, save state, restore
    • Allow / disallow the ability to create new virtual machines
    • Allow / disallow the ability to store virtual machines to a Library location
  • Define Profile Scope for virtual machines
    • Virtual machine creation can be limited to hosts in specific host groups
    • Storing virtual machines can be limited to specific Library shares

 

Also, as to VM management, here are the tips on how to manage self-service users on controlling VMs:

  • First, please be aware that users can only create new virtual machines from templates that are created by the VMM Administrators. This allows the VMM admins to control what type of VMs (hence, what hardware resources) the self-service users can create.
    • Users can only modify the computer name and Administrator password
    • All other settings (memory, drives, disks, etc) must be part of the template
  • Now, the next step is how to configure the templates for self-service users so that they can use them to create the VM they need.
    • Ensure that the appropriate additions/enlightenments are installed
    • Blank out the Administrator password so that it may be reset during creation
    • Enable RDP access if desired
    • If you have a volume license key, store the key in the OS profile of the template
  • Once the templates are created and the self-service users are defined, you may also want to define profile quotas to prevent any individual self-service user from abusing shared resources.
    • Determines the number of virtual machines that users can have at one time
    • Templates can be customized with quota requirements
    • Flexible point based system 

 

As an exmaple to how users may leverage the power of this new user role model in SCVMM 2008, the following user role hierarchy can be implemented to meet regional and functional administration delegation requirements. I highly recommend you to give it a try and let us know your feedback.

Thanks for reading!

Cheng