How to Add a Permission to a User Role
Applies To: System Center 2016 - Service Provider Foundation, System Center Technical Preview
In Service Provider Foundation, sometimes a user cannot accomplish a task because the user is missing a required permission. Permissions can be added to a user as long as the current user can manage permissions by using the UserRoles OData collection.
The way Service Provider Foundation works with user role permissions might be confusing at first. A UserRole entity does not have a property to change permissions directly. Instead, you set the UserRole.PermissionInput property to a collection of UserRolePermission objects. Each UserRolePermission object represents all permissions that the user has on a specific stamp. When the UserRole entity is updated, the UserRole.PermissionInput property is processed. Each UserRolePermission is read and replaces all existing permissions for the associated stamp that the user role has.
You likely want to preserve existing permissions by copying them to the UserRolePermission object, and then add or remove specific permissions.
To add a permission to a user role by using the .NET Framework
Connect to the Service Provider Foundation
VMMservice.Obtain the
SpfVMM.UserRoleto which you want to add a permission.Create a new instance of the
SpfVMM.UserRolePermissionclass.Copy the
UserRole.Permissionto a new list or array of strings.Add the new permissions to the list or array of permission strings.
Set the
UserRolePermission.Permissionproperty to a new instance of the System.Collections.ObjectModel.ObservableCollection``1 class, which provides the array of permission strings.Set the
UserRolePermission.StampIdproperty to the stamp Id to which the user permissions applies.Add the
UserRolePermissionthat you created to theUserRole.PermissionInputcollection.Call the
UpdateObjectmethod on theVMMservice object reference and pass in the changedUserRoleobject.Call the
SaveChangesmethod on theVMMservice object reference.
To add a permission to a user role by using HTTP
Create a new
HTTPPUT or MERGE operation.Important
If you supply only the key and changed properties, use a
MERGEoperation.PUTis used when you want to replace all properties on the entity with new or default values. TheMERGEoperation updates the existing entity with the supplied properties.PUTupdates the existing entity with the supplied properties, but resets all missing properties back to their default values.Set the URL to a specific user role identifier with the
UserRolescollection: https://server:30005/subscription-id/services/systemcenter/vmm/UserRoles/user-role-id.Important
The subscription-id that is used must have permissions to alter the permissions of a user role.
Tip
Provide the GUID of the user role on the URL. The previous example uses user-role-id as a placeholder.
Add the HTTP headers.
Specifically, add the
x-ms-principal-idheader, which can be set to any value.Create the HTTP payload that contains the user role entity with at least the
IDandPermissionInputproperties set.Submit the HTTP request.
Example
The following code example shows how to add the Checkpoint permission to an existing user role by using the .NET Framework. This code example also preserves all existing permissions that the user role already has. For more information, seeProgramming in Visual Studio with Service Provider Foundation Services.
SpfVMM.VMM vmmService = new SpfVMM.VMM(new Uri("https://wapserver:30005/97FD50F3-1DC0-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/"));
vmmService.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
// Get the existing user role
var userRole = vmmService.UserRoles.Where(ur => ur.Name == "john@contoso.com_97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3").FirstOrDefault();
if (userRole != null)
{
// Create the replacement permission object
var permission = new SpfVMM.UserRolePermission();
// Preserve the existing permissions using System.Linq extensions
var perms = userRole.Permission.ToList();
// Add the new permission
perms.Add("Checkpoint");
// create the new permission object
permission.Permission = new System.Collections.ObjectModel.ObservableCollection(perms);
permission.StampId = new Guid("ba4146fa-fb41-4f59-a193-ad00c52a138c");
// Add the permissions to the user role
userRole.PermissionInput.Add(permission);
vmmService.UpdateObject(userRole);
vmmService.SaveChanges();
}
Example
The following code example shows an HTTP request that is sent to the server.
MERGE https://wapserver:30005/BA4146FA-FB41-41B6-A7C0-2B4FF4C3F7E3/services/systemcenter/vmm/UserRoles/97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3 HTTP/1.1
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json;odata=minimalmetadata
Accept-Charset: UTF-8
DataServiceUrlConventions: KeyAsSegment
User-Agent: Microsoft ADO.NET Data Services
x-ms-principal-id: user@contoso.com
Content-Type: application/json;odata=minimalmetadata
Host: wapserver:30005
Content-Length: 839
Expect: 100-continue
Authorization: Negotiate YIIGXgYGKwYBBQUCoIIGUjCCBk6gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBhgEggYUYIIGEAYJKoZIhvcSAQICAQBuggX/MIIF+6ADAgEFoQMCAQ6iBwMFACAAAACjggSPYYIEizCCBIegAwIBBaEJGwdDRE0uTEFCoiMwIaADAgECoRowGBsESFRUUBsQc3Bmbi00NTcuY2RtLmxhYqOCBE4wggRKoAMCARKhAwIBC6KCBDwEggQ4T4e4nk0xr5YY8JQ/YNUEs7oIPtf2zX+sn08+M334CpUM75+aH+zZiH/HSzI3+CF9DiGzVza+jRm/UFjbU1FrMpGSlNtCNdOy1taOlSN1jiB1+5kYZx4hEXRfkfQ27/H2g7oh/Z7M/UOsi2VEI8z/ZIqzw72X/JBA47REDCjoc+okvAdH3EfWgsgsAS4BmQIJ58sc6vNEBTtrMNxrx4AIXAk5QPH/JJ7WOYTvXJdQgVm9KkfcHvdFU6jng7P7HNQ2GLDq/sP2AJU1/Uo3CLtrQFnjKTs/d1pvABO09tqOdyokI+mu1DqZ2wIHFpljMSSJmrZKl0aMYYlx6nR4OuOGpaD5+R/l29J3bK22dAdFbHMGJ1JxYG8x5kHlfjNXMJHrsGJ9WxPXqoSAyU2CRoyun9MtyVzeaLhw9mJtF6re+hM1EGd6eDqqqnIOv24fdrBKnEB2HDEJPATYbh94/fC86LPo3KAo3GFL+jIBKk8FHsPnNHiK28pcA7tkI4kUGnTj546oZogJhbvzMP35vnEMZtebiOdIHMYM8KhmEGnNBgfaxSWdpDTyFZxWrTED79abZHRlsGGljw/LfRXeS4qPEwwRkgEfrdL2JU1jcmU845v2vrptYr/visrcExaas35FMCxuxksVDT4d1AlwvNxusLZCssYSA/vVBVJy9qRvrbjAY4rNTtoEq1Am1K5ZpN8OwxmbVaEZQXrhOUIfC5ydp6A+dqA423dTxLEi+7/v77dwkpId0lLakHL8Gm4AaH98Th/OrhB3RNb2ENU+a1FE2jBuaWsVolzmbMwIB5Q8ahxknSDgtNaGZ2ZQxWJcnns20Rj5AZ1e5op2RSffETRhZhQ5QgMF/eMnGdbWeDFPVsoVR5f/bXVmLKS4vhdTKKuYnLuwszpJUdmI7s9F+dCbGYrgjlwifvEuSoAHNlL4PS+zFnR2ITJZZpYCZMvXIQ17zrMGs0C4wB0goF+uY4jEC0W3KRg/bF2GCsimOarMLtbuRz41NakkjZT7rSTJf+DpB7OuzwjLbcF9acDtv1vI/62YJgBFrLbYxGQJpiqa5rhonun9MK88jhhrvU1fcoMU8sw/Zx6NSLqigzTEQtDhF2b9DeyXLOr2GV7wruOjiURmIt4qW1pfCOAMPJQBXnq2rAt03EZoxAdlIB7405PnVF+x+WjgK/TY4b93BsR7afZh1z/uaTjJGuW9xGZkOW23koOCzbC85y5wfNrnJ3a+7sG971CyOnE3/lzYDuOz/RyXoTmYfG8538aQ9PK2Wl6wZO92QhWw5rHdAI/7nOsiuJygK8+kr/MsERoyHynXX/2m0bnixjAHBPjlRJnWL6PIcrqmoFlnsEMAMuqlYi5mPk70FJU8RbPWNQbc+YN5dfc295hsS931UTAkwyDobtq6E1NEpFz26IhSC4bgjThDa9jWdvGjA1jIpIIBUTCCAU2gAwIBEqKCAUQEggFA2B6rC9hN6kHxj6yUJU7ZOrgOt406u8FGUsr7gyvaVWLO8SZRsG3R/EJ6Qvd1u59GNJuwr3+76ND0oqKYAgDBSkrA7sv42a/033flpTs3H3p4oJrKc03oLTnwXAe3+moYSO5ia/Ek3rP522nk/SYXgqXQZRcEZtf0Tmqn4lziRwDWPL4OvpN9Tu8e62CmKhwwB4x7uUykI39WFzMLmWatcVxIZqasl6W6C2r/yQRMnNt91Lu1dNFAsJpsPhbBxHB6Nn9MoslcFrkUDBwTRrQuPXBGjQyZOHUFSf4mz5ZaM5iYBW/w3Yh+W2VwIh3y48aJ31fNrtaJCrrxHMwSPAf67S1uDBdO6ECgNo1m2Iu5UWeJ8kJTbP4TUZnPBkRhTj0BWyORnrPltS3c1S2MJN3J6e1qHLVkkx7zKSurCT5lnZ0=
{
"ID": "97fd50f3-1dc0-41b6-a7c0-2b4ff4c3f7e3",
"PermissionInput": [{
"Permission": ["Create",
"PauseAndResume",
"Start",
"Stop",
"AllowLocalAdmin",
"Remove",
"Shutdown",
"Checkpoint",
"Author",
"CanShare",
"CanReceive",
"CreateFromVHDOrTemplate",
"CheckpointRestoreOnly",
"AuthorVMNetwork",
"Checkpoint"
],
"Permission@odata.type": "Collection(Edm.String)",
"StampId": "ba4146fa-fb41-4f59-a193-ad00c52a138c"
}],
"PermissionInput@odata.type": "Collection(VMM.UserRolePermission)",
"odata.type": "VMM.UserRole"
}
Example
The following code example shows an HTTP response from the server.
HTTP/1.1 204 No Content
Cache-Control: no-cache
Server: Microsoft-IIS/8.5
x-ms-request-id: 0b494a73-66e6-4b86-b1cf-90d3a7432622
X-Content-Type-Options: nosniff
request-id: eda9bde6-834a-0000-95d9-aced4a83ce01
DataServiceVersion: 1.0;
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Mon, 19 Aug 2013 21:59:34 GMT