Private Cloud in System Center Virtual Machine Manager 2012 - Part 2 – Delegate Control - TechNet Articles - United States (English)

Introduction
Configuration

Introduction

After the Private Clouds creation, it should be interesting to create User Roles to delegate control to virtual machines, templates, and other features in System Center Virtual Machine Manager 2012 (VMM), and also to select the permissions for these features such as create, shutdown, change, etc.

With this model you will able to provide, for example, development team access to create a virtual machine on a specific host group with few limitations or also delegate the Help Desk to make some simple settings that do not impact the production environment. This delegation in VMM is called User Role. Below is the procedure to create and configure an User Roles.

Configuration

To assign a User Role to a Private Cloud, open the management console, click VM and Services, select the Private Cloud, and then click Assign Cloud, as shown in Figure 1.

Figure 1 – Assign Cloud Option

A Wizard will appear on the first screen. Then add the User Role name and description.

Figure 2 - Name and Description

Under Profile will be chosen Profile Type for the User Roles. There are three profile options, including the new Read-Only Administrator. Below is a description for all of them:

• Delegated Administrator - Members of this group have full control to all administrative tasks for all Host Groups, Clouds and Library Servers chosen during the group creation.

• Read-Only Administrator - This User Role is designated for audit purposes only. Members can view status, job status and properties of objects in Clouds, Library Servers and Host Groups chosen during the group creation.

• Self Service User - All members of this group access can create, deploy and manage their own virtual machines through the Management Console and Web Console VMM (Self-Service Portal). This option provides access permissions and resources such as virtual machines (VM) templates and Library Servers that members can manage.

In this example is created one of the most common profiles: Self Service User. Choose the profile according to your needs and click Next.

Figure 3 - Profile

After that, you need to add User Role members. In the demonstration was used SPCloudAdmins group. Click Add, select the groups and click Next.

Figure 4 - Members

On the next screen you must choose what are the Private Clouds that groups will manage. After selecting them, click Next.

Figure 5 - Scope

On Quotas we have two options to create a quota:

• Role Level Quotas - Limitations for all group members

• Member Level Quotas – Specific limitations to each group member.

The resources available are:

• Virtual CPUs
• Memory
• Storage
• Custom Quota (Points)
• Virtual Machines

One option that stands out is the Custom Quota (Points). With it we can specify some points for the group or its members and then they can use only that limit. For example, when a machine is created using a hardware template you need a point. If the user has a limit of 10 points he can only create 10 machines. After this limit you may not be able to create some features.

In the example in Figure 6 are not intended to limit the groups, only for members.
NOTE: Member Level Quotas should not be less than the Role Level Quotas.

Choose the desired limits, and then click Next.

Figure 6 - Quotas

One of the most interesting and important thing in this process are covered in Resources and Actions.
See the list below some resources examples that can be added, as shown in Figure 7:

• Hardware Profiles
• Guest OS Profiles
• VM Templates
• Virtual Machines
• Application Profiles
• Services Templates
• Application Profiles

On the same screen you can specify a path to the User Roles in a Library Servers, offering a storage folder for the group members.
Click Add, select the features you want and click Next. If necessary, add the folder path to be used by group members in data path.

Figure 7 - Resources

Now in Actions object permissions are displayed. They work as permissions that we can apply for Virtual Machines. Check below the existing actions:

Author
Checkpoint (snapshots)
Checkpoint (Restore Only)
Deploy
Deploy (From Template only)
Local Administrator
Pause and Resume
Receive
Remote Connection
Remove
Save
Share
Shut down
Start
Stop
Store

For more info about see http://social.technet.microsoft.com/wiki/contents/articles/12554.actions-available-to-self-service-user-roles-in-vmm-2012.aspx

Choose actions according to your group, and then click Next.

Figure 8 - Actions

In some cases you may need a different user with specific permissions on a group of hosts or even a cloud. This type of object in the VMM is called Run As Profile. It is nothing more than a service account that can be used by group members. In the example of Figure 9 is the local administrator account used for all hosts, but because the group limitation that we are creating will be used only in virtual machines that are in Sao Paulo Private Cloud.

Figure 9 - Run As Profiles

In Sumary confirm the options chosen, and if you prefer, export the script from powershell to create models or future automation.

Figure 10 - Summary

Clicking on View Script a text file is displayed with the PowerShell commandlets. Check out the script for the demonstration used in this article:

$cloudsToAdd = @()

$cloudsToAdd += Get-SCCloud -Id "2d34f303-7de0-4371-85cd-a2691b751101"

$runAsProfilesToAdd = @()

$runAsProfilesToAdd += Get-SCRunAsProfile -Name "Administrator"

$scopeToAdd = $cloudsToAdd + $runAsProfilesToAdd

Set-SCUserRole -JobGroup "304bb8d1-d9eb-4d4d-8515-f19085027d2d" -AddMember @("CONTOSO\SPCloudAdmins") -AddScope $scopeToAdd -Permission @("Author", "Checkpoint", "CreateFromVHDOrTemplate", "AllowLocalAdmin", "PauseAndResume", "CanReceive", "RemoteConnect", "Remove", "Save", "CanShare", "Shutdown", "Start", "Stop", "Store") -ShowPROTips $false -UserRoleDataPath "\\WIN-PNNSMPE05M8.Contoso.msft\SPLibrary\SPPrivateCloud"

$cloud = Get-SCCloud -Id "2d34f303-7de0-4371-85cd-a2691b751101"

Set-SCUserRoleQuota -Cloud $cloud -JobGroup "304bb8d1-d9eb-4d4d-8515-f19085027d2d" -UseCPUCountMaximum -MemoryMB "800" -StorageGB "8000" -CustomQuotaCount "20" -VMCount "40"

Set-SCUserRoleQuota -Cloud $cloud -JobGroup "304bb8d1-d9eb-4d4d-8515-f19085027d2d" -QuotaPerUser -UseCPUCountMaximum -MemoryMB "100" -StorageGB "1000" -CustomQuotaCount "3" -VMCount "10"

$libResource = Get-SCVirtualMachine -ID "b3de7103-d7df-47cb-a0d7-7fffc0230eb6"