Managing a private cloud environment typically involves much more than just providing templates that administrators can use to deploy new virtual machines (VMs). Administrators often need the ability to manage private clouds, VMs, and even virtual hosts. Thus, it's important to have well-defined management permissions in these private cloud environments.

Fortunately, Microsoft System Center 2012 SP1 Virtual Machine Manager (VMM 2012 SP1) provides you with the ability to create user roles. With user roles, you can define a scope and the objects that administrators can manage. You can also define management operations that administrators can perform. After I describe the types of user roles available in VMM 2012 SP1, I'll show you how to assign administrators to existing user roles and how to create new user roles.

Understanding the User Roles

In VMM 2012 SP1, each user role you create comes with a set of permissions. Also, each user role is defined with a specific scope. In a private cloud environment, permissions are rarely delegated for the whole virtual infrastructure. Instead, permissions are delegated for "lower" levels, such as private clouds, host groups, or library resources.

VMM 2012 SP1 lets you define several types of user roles. The user roles that you can use include the following.

Administrator. The Administrator user role comes predefined when you install VMM 2012 SP1. This default role has the widest management scope. Members of the Administrator user role can perform all administrative tasks on all objects (both virtual and physical) that VMM manages. Some tasks are specific to only this role and can't be delegated through any other role. For example, only members of the Administrator user role can add a standalone Citrix Systems XenServer to a VMM management server or add a Windows Server Update Services (WSUS) server for VMM fabric management. (Fabric is the term used to describe the infrastructure used to manage and deploy hosts, and to create and deploy VMs and services to a private cloud.) It isn't possible to redefine (i.e., narrow) the scope for the Administrator user role, so the number of members should be kept to a minimum. Typically, members are the administrators at the cloud provider company. The Administrator user role can create other user roles and manage membership of any other user role. You should never assign users to this role.

Fabric Administrator. Members of the Fabric Administrator user role can perform all administrative tasks but within a defined scope. The scope can be a host group, private cloud, or one or more library servers. However, they can't modify any general VMM settings or modify the membership of the Administrator user role. If you want to give an administrator permission to fully manage a private cloud within VMM, this is the user role that you should use.

For hosted environments, this is very useful user role. For example, if you're a cloud provider and manage the virtual environment with VMM, you'll probably want to make your clients members of the Fabric Administrator user role so they can fully manage the objects and infrastructure within their private clouds. In this scenario, you'd define multiple user roles with the Fabric Administrator profile—one for each private cloud you create. Another scenario for using this role type is delegating other administrators with the ability to manage some portions of your virtual infrastructure. For example, you can give an administrator the right to manage specific host groups or library servers. Note that this user role is called the Delegated Administrator user role in the release to manufacturing (RTM) version of VMM 2012.

Read-Only Administrator. Members of the Read-Only Administrator user role can view but can't change the configuration settings for the VMM managed objects within a defined scope. They also can view the status of jobs executed within their management scope.

This user role is for auditing purposes. For example, if your virtual infrastructure is standardized and you want to make sure that change management is being properly managed, you can assign an auditing or change-management team member to this user role. You can also assign this user role to novice administrators who need to first familiarize themselves with the VMM configurations before being assigned to a user role with more permissions.

Tenant Administrator. This user role is specific to VMM 2012 SP1 and can't be created in VMM 2012 RTM. Members of the Tenant Administrator user role can define the scope of tasks performed by self-service users on their VMs, including creating and applying quotas on available resources. So, this is the user role you should use if you want to give an administrator permission to manage self-service users and the resources they consume.

Members of the Tenant Administrator user role can also manage VM networks, including managing and deploying their own VMs within a defined scope. The scope is limited to private cloud objects.

Application Administrator. Members of the Application Administrator user role can deploy and manage their own VMs within the scope and quotas defined by higher-level administrators. Note that this user role is called the Self-Service User user role in VMM 2012 RTM.

Assigning User Roles

Assigning an administrator to a user role in VMM 2012 SP1 is a pretty simple task. For example, if you want to add someone to the Administrator user role, you follow these steps:

  1. Navigate to Settings in the VMM 2012 console, expand Security, and click User roles.
  2. Double-click Administrator in the right pane.
  3. Select the Members tab. Here you can add any user account from the Active Directory (AD) domain to which the VMM server belongs.

Note that you must use the VMM console or PowerShell to add an AD user account. You can't manage user roles from any AD utility.

Creating User Roles

You use the Create User Role Wizard to create new user roles. To open this wizard, you can navigate to Settings in the VMM 2012 console, expand Security, select User roles, and click the Create User Role button. Alternatively, you can navigate to the Tenants node in the VMs and Services task pane, right-click the Tenants node, and select Create User Role. (Note that if you're using VMM 2012 RTM, you can't use the alternative method.)

The information that you need to provide in the Create User Role Wizard varies depending on the type of user role you're creating. For this reason, I'll describe the pages in the wizard rather than walk you through an example of how to create a particular user role.

Name and description. On this page, you need to provide the name and description of the user role, as shown in Figure 1. You should try to be as descriptive as possible, especially if you plan to create many user roles.

Dizdarevic WIN2725 Fig 1-sm
Figure 1: Providing the Name and Description of the User Role

Profile. On this page, you choose the type of user role to create. As Figure 2 shows, the profiles from which you can choose are Fabric Administrator, Read-Only Administrator, Tenant Administrator, and Application Administrator. The list doesn't include the Administrator user role because it comes predefined when you install VMM 2012, as mentioned previously.

Dizdarevic WIN2725 Fig 2-sm
Figure 2: Choosing the Type of User Role to Create

Members. On this page, you can add user role members from AD. It isn't mandatory to do this when you're creating the user role. You can do it at any time by double-clicking the user role and navigating to the Members tab, as described in the "Assigning User Roles" section.

Scope. Figure 3 shows the Scope page, where you define the scope of the user role. This is a very important step. You need to select the VMM resources for which you want to give the user role permissions. If you're creating a Fabric Administrator or Read-Only Administrator user role, the available hosts groups and private clouds will be displayed. If you're creating a Tenant Administrator or Application Administrator user role, you'll see only the available private cloud objects. Be careful when selecting the resources. If you make a mistake here, you can inadvertently provide access to the wrong resources.

Dizdarevic WIN2725 Fig 3-sm
Figure 3: Defining the Scope of the User Role

Quotas for the cloud. This page is visible only if you're creating a Tenant Administrator or Application Administrator user role. As Figure 4 shows, you can define quotas for the private cloud objects that you've chosen on the Scope page. Defining quotas to limit resource usage is highly recommended. For example, you can define how many VMs each member of the user role can create and how much RAM can be used. Besides using quotas to limit resource usage, you can use them to monitor usage to determine whether you might need to add resources to your virtual environment.

Dizdarevic WIN2725 Fig 4-sm
Figure 4: Defining Quotas for a Private Cloud

Quotas are defined on two levels. You can define a total quota for a user role. You can also define quotas for each member of that user role. You can combine these two quota types so you have one general quota for the user role and specific quotas for each administrator who is a member of that user role. When assigning quotas, make sure that you consider any quotas assigned to other user roles (if you have them). The system won't warn you if you oversubscribe, so make sure you don't.

Networking. Specific to only the Tenant Administrator and Application Administrator user roles, this page gives you the option to choose one or more VM networks that will be made available for usage. You also have the option to create new VM networks from this page.

Library servers. This page is visible only if you're creating a Fabric Administrator or Read-Only Administrator user role. In most environments, only one library server exists, so there will be no real choice. If multiple library servers are deployed, they usually host different resources. If you have more than one library server, you need to make sure you select the one that hosts the resources needed by the user role you're creating. In some scenarios, you can also deploy dedicated library servers for each private cloud you create.

Resources. If you're creating a Tenant Administrator or Application Administrator user role, you need to choose specific resources from the library on the Resources page. It's important that you select the correct resources, especially if the administrators will be creating new VMs. You also need to define the data path for the data that the administrators will upload.

Actions. For the Tenant Administrator or Application Administrator user role, you'll have the option to choose specific actions that will be permitted. As Figure 5 shows, you can select actions such as Checkpoint (administrators can create and manage VM checkpoints) and Deploy (administrators can create VMs and services). Make sure that you understand the purpose of each action, taking into consideration the scope of the user role.

Dizdarevic WIN2725 Fig 5-sm
Figure 5: Selecting the Actions That Will Be Permitted

Run As account. This page appears if you selected the Author action on the Actions page for any of the user role types. On it, you can select a Run As account to be used by the members of the user role when executing tasks within VMM. A Run As account is a container for a set of stored credentials for a specific user account. You can create a Run As account before you run the wizard or when you run it.

Quotas for VM networks. This page appears if you're creating a Tenant Administrator user role and you selected the Author VMNetwork action on the Actions page. On it, you can define how many virtual networks each member of the Tenant Administrator user role can create or the total number of virtual networks that can be created by all the members of this user role.

Summary. On this page, you can review the settings you've entered before creating the user role.

An Important Part of Private Cloud Management

Creating and managing user roles is an important part of private cloud management. You should take care when configuring this aspect of VMM security, especially if you're working for a hosting provider that hosts private cloud environments for other companies. Using user roles is also a good way to control resource usage between various cloud administrators.