How To: Get Started With Hyper-V Permissions
Defining the security model for your first foray with Hyper-V.
For administrators wanting to use Hyper-V in any capacity, a security model needs to be defined for your requirements. The base functionality with the Hyper-V role to manage permissions is done via the
Authorization Manager Framework for Hyper-V. This can be used in conjunction with System Center Virtual Machine Manager (SCVMM) or independently for smaller implementations using the Hyper-V Manager with the Hyper-V role for servers.
Authorization Manger, or Azman, allows administrators to build permissions around roles. Azman includes 32 configurable operations for Hyper-V Manager. There are Administrator and User built-in roles, and custom roles can be added and assigned to various Windows groups or users.
- Run "azman.msc" to open up the base console.
- Open the Authorization Store .XML file for Hyper-V. The location for default installations is C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml.
Within the Hyper-V Authorization Store, roles can be created for specific virtual machine (VM)-related tasks. Administrators can create roles from 32 operations available for permission assignment. These include VM console access, start and stop functions, networking configuration and more. Fig. 1 shows a role being created and the list of configurable operations being selected.
 |
| Figure 1. Role definitions are created in the Hyper-V authorization store. (Click image to view larger
version.) |
Once a role definition is created, permissions are assigned to that role. Again in the Hyper-V Authorization Store, we can now assign a user or group to the newly created role (see Fig. 2).
|
| Figure 2. After role definitions are created, users or groups are associated with that role. (Click image to view larger
version.) |
At that point, the configured actions are assigned to the users as configured in the Hyper-V Authorization store. Be sure to give some planning to how this is configured; basic guidelines include making sure everything is applied through group permissions, and never over-granting privileges.
This is straightforward stuff for Microsoft folks, but it may not be as intuitive for administrators familiar with assigning roles in VMware.
Send me an e-mail, or post any tricks you’ve done with permissions for Hyper-V below, including some crafty Group Policy Objects.
About the Author
Rick Vanover (vExpert, VCP, MCITP) is a Software Strategy Specialist for Veeam Software based in Columbus, Ohio. Rick's areas of expertise include virtualization, servers, storage and Windows systems. Read Rick's blogger disclosure here.