A. By default, Authorization Manager's configuration has one scope that covers all VMs. You can define additional scopes and then create role definitions and assignments within that scope. We then need to assign the scope to specific VMs.

To create a new scope, simply select New Scope... from the Actions under Hyper-V services. Give the scope a name, such as Client_Virtuals, and a description and click OK.

Once the scope is created, you can create roles and assign them as per the normal Hyper-V services. Note that you can add the role definitions defined at the Hyper-V services level to roles within a scope to save having to duplicate the selection of operations that are related to a role. You can also directly assign roles defined at the Hyper-V services level to people within the scope, but these people will only have permission on virtuals that are part of this scope. In the example below I used the Administrator Role Definition that is part of Hyper-V services and granted it to user Clark within the Client_Virtuals scope.

Click to expand

Finally, link this scope to a VM. There's no way of doing this in the GUI, you must use the Hyper-V WMI interface. Use the script below:

                              ' hvscopeset.vbs John Savill                              If Wscript.Arguments.Count < 1 Then                                Wscript.Echo "Arguments  \[\] required. For example:" & vbCrLf _                                & "cscript hvscopeset.vbs savdalvs01 Client_Scope"                                Wscript.Quit(0)                              End If                              strVMName = Trim(Wscript.Arguments(0))                              strComputer = "."                              Set objWMIService = GetObject("winmgmts:" _                              & "\{impersonationLevel=impersonate\}!\\" _                              & strComputer & "\root\Virtualization")                              Set objMsvm_VirtualSystemManagementService = objWMIService.ExecQuery( _                               "SELECT * FROM Msvm_VirtualSystemManagementService").ItemIndex(0)                              Set objVM = (objWMIService.ExecQuery( _                               "SELECT * FROM Msvm_ComputerSystem WHERE ElementName='" & strVMName & "'")).ItemIndex(0)                              Set objMSVM_VirtualSystemGlobalSettingData = (objVM.Associators_("MSVM_ElementSettingData", _                               "MSVM_VirtualSystemGlobalSettingData")).ItemIndex(0)                               If Wscript.Arguments.Count > 1 Then                                strScope = Trim(Wscript.Arguments(1))                                objMSVM_VirtualSystemGlobalSettingData.ScopeOfResidence=strScope                                intResult = objMsvm_VirtualSystemManagementService.ModifyVirtualSystem(objVM.Path_.Path, _                                 objMSVM_VirtualSystemGlobalSettingData.GetText_(1))                                If intResult <> 0 Then                                 WScript.Echo "Error - " & intResult                                End If                              End If                              'List out scopes                              Set objMSVM_VirtualSystemGlobalSettingData = (objVM.Associators_("MSVM_ElementSettingData", _                               "MSVM_VirtualSystemGlobalSettingData")).ItemIndex(0)                               Wscript.Echo strVMName & " in scope " & objMSVM_VirtualSystemGlobalSettingData.ScopeOfResidence                              

To use the script, just pass the name of the VM and the scope to add to. If you don't pass the name of a scope, it will just list out the scope the VM is currently in. If you pass two double quotes ("") as the scope, it will remove the VM from the scope.

                              D:\Temp>cscript hvscopeset.vbs savtstdc01 Client_Virtuals                              Microsoft (R) Windows Script Host Version 5.8                              Copyright (C) Microsoft Corporation. All rights reserved.                              savtstdc01 in scope Client_Virtuals                              D:\Temp>cscript hvscopeset.vbs savtstdc01                              Microsoft (R) Windows Script Host Version 5.8                              Copyright (C) Microsoft Corporation. All rights reserved.                              savtstdc01 in scope Client_Virtuals

Be aware that if you set permissions on a VM scope, you still need the user to have the Allow Input to Virtual Machine, Allow Output from Virtual Machine, and Read Service Configuration operations at the Hyper-V services scope level from the Hyper-V MMC snap-in to show information correctly.

In the screenshot shown here, you can see the various scopes I created and assigned so the user named Clark can only manage one of the VMs. As you can see, I have a ViewStatus role, which has only read service and I/O to VMs, and a ControlVM role, which can stop, start, pause, resume VMs. I assign the ViewStatus at the Hyper-V Services scope level then the ControlVM role at the Client_Virtuals scope level, which means Clark can only control the VMs in the Client_Virtuals scope.

Click to expand

Related Reading



Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.