Virtual Machine Manager: Granular permissions with Clouds and User roles

Hi All,

During my virtualization missions in customer sites, there’s a lot of new questions that i’m answering, a few other that i have to read about then answer.

But there’s a topic that was always asked by customers : They want to give some users some permissions on specific virtual machines to let them do dome operations like Shutdown, start, save, snapshot…

Out of the box, Hyper-V does not offer such granularity (By default, you are a Hyper-V admin or not). With the emergency of the Cloud concept, Microsoft has added to Virtual Machine Manager a way to achieve great things regarding source pooling, resource dividing, user permissions, and the list stills long.

Today, i will talk about features that was introduced with VMM 2012 : Clouds, User Roles and Self-Service-User

Briefly, i will define these three terms to be accurate:

Clouds: A cloud is container of VMM host groups (ie Hyper-V servers) + Storage + Networking + Resources (VM templates…). Clouds permit dividing you infrastructure into logical pieces with defined configuration. Example: I want a cloud that uses the production cluster but only 20 virtual cpu, 30 GB of memory, 500 GB of storage and only connect to the Database Network.

User Role: A User role is a Role (let’s tell a group) where you will define some permissions like : Which cloud this User Role can use, how much resources this User Role can consume, what actions this User Role can make and so on…

Self-Service-User: SSUs an create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal (The web portal was retired in VMM 2012 SP1. A a alternative you can use App Controller or Windows Azure Pack. App controller will be discontinued and will not be released in System Center VNext). A self service user have to be part of a User-Role

You can find below a step-by-step guide of one of the use cases of VMM clouds.

  • The goal

I need some users to only do some actions on some virtual machines

  • How

Using SCVMM (2012 R2 in the current post), we can achieve that, but how:

  1. Create a cloud that cover the host group where our hosts (that contain the VMs) belong
  2. Assign the VMs to this cloud so they appear on that cloud
  3. Create a User Role with the specific permissions we want
  4. Add the user to the user role
  5. Assign the user role to this cloud
  6. Share the VM access with the created User Role
  7. Install the VMM console in the users PCs or publish it in RDS RDWeb

The following are my scenario details: The Bold items are your parameters too

  • The VM i want give access to is named A1 and it’s hosted in the SRV-HV02 server
  • The host were the VM resides (SRV-HV02) is under the Earth host group
  • The cloud i will create will be named DEVCLOUD
  • The permissions i want the user to have are : Shutdown VM, Start VM, Connect to VM, Stop VM
  • The user role i will create is named DEVCLOUDROLE
  • The user that will use this VMs is name Ali

1- Create a cloud that cover the host group where our hosts (that contains the VMs) belong

  • Go to the SCVMM console -> VM and Services ->All hosts verify that SRV-HV02 is under the Earth host group (In your case locate for which host group your server belongs)

Host group

  • Now, go to the clouds view and right click Clouds, Create Cloud

Create Cloud

  • Type a name for your cloud, in my example DEVCLOUD

Cloud Name

  • Choose the host group the Hyper-V server or cluster is located in

Cloud host group

  • Click Next under you reach the Capacity step. Because this cloud is only for managing, choose the minimum value in all the dimensions

Cloud capacity

  • Click Next then Finish, the cloud will be create with empty resources

Cloud End

2- Assign the VMs to this cloud so they appear on that cloud

  • Now, go to your VM, right click it and choose Properties

A1 Prop

  • In the cloud drop down list, choose the cloud you created (DEVCLOUD)

A1 belong to DEVCLOUD

  • Verify that the VM you configured is showing now on the DEVCLOUD view


3-Create a user role with the specific permissions we want 

4-Add the user to the user role

5- Assign the user role to this cloud

  • Now go to Settings, Security, User roles. Click Create User Role. The Create User Role wizard will start. Type a name for your Role (DEVCLOUDROLE)

Create role

  • For the user profile, choose Application Administrator (Self-service User) then click Next

Create role 2

  • Now, add the members that you want to be part of this role (LAB\Ali)

Create role 3

  • In the scope step, choose the cloud you want this role to be mapped to (DEVCLOUD)

Create role 4

  • On the Quota page, you can leave the default value in this case, because the user role will no be allowed to place anything in this cloud, or you can set all the values to 0

Create role 5

  • This is an important step: Select the actions the users inside this user role are allowed to make. In our case, i selected Remote Connection, Shutdown, Stop and Start

Create role 6

6. Share the VM access with the created User Role

Go to VM and Services, select your VM and choose Properties. In the Access Tab, add the User Role (In our case DEVCLOUDROLE) in Shared with these Self-Service users and roles

VM properties

It’s done, now you have to provide the VMM console to your users:

  • You can install the VMM console (Using the VMM installation media) for each user  who will use VMM
  • If you have RDS (Remote Desktop Services) in your infrastructure, install the VMM console on a RDSH server and publish the VMM console

When the user will open the console using his credentials, he will only be able to do the exact actions configured in the role settings.

5 thoughts on “Virtual Machine Manager: Granular permissions with Clouds and User roles

  1. Thank you so much for this. I have been scratching my head for months how to get this done. This has saved me having to argue for a vSphere license.

  2. It works but not I expect.
    I need that my users access directly to console virtual machine. If I use this guide they need to access SCVMM and after that connect to the virtual machine. There is any option to only connect to virtual machine from shorcut or limit SCVMM console?
    I am using Hyper-V 2016 and SCVMM 2016

    Thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s