How To: Get Started With Hyper-V Permissions
Defining the security model for your first foray with Hyper-V.
- By Rick Vanover
For administrators wanting to use Hyper-V in any capacity, a security model needs to be defined for your requirements. The base functionality with the Hyper-V role to manage permissions is done via the Authorization Manager Framework
for Hyper-V. This can be used in conjunction with System Center Virtual Machine Manager (SCVMM) or independently for smaller implementations using the Hyper-V Manager with the Hyper-V role for servers.
Authorization Manger, or Azman, allows administrators to build permissions around roles. Azman includes 32 configurable operations for Hyper-V Manager. There are Administrator and User built-in roles, and custom roles can be added and assigned to various Windows groups or users.
- Run "azman.msc" to open up the base console.
- Open the Authorization Store .XML file for Hyper-V. The location for default installations is C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml.
Within the Hyper-V Authorization Store, roles can be created for specific virtual machine (VM)-related tasks. Administrators can create roles from 32 operations available for permission assignment. These include VM console access, start and stop functions, networking configuration and more. Fig. 1 shows a role being created and the list of configurable operations being selected.
|Figure 1. Role definitions are created in the Hyper-V authorization store. (Click image to view larger
Once a role definition is created, permissions are assigned to that role. Again in the Hyper-V Authorization Store, we can now assign a user or group to the newly created role (see Fig. 2).
|Figure 2. After role definitions are created, users or groups are associated with that role. (Click image to view larger
At that point, the configured actions are assigned to the users as configured in the Hyper-V Authorization store. Be sure to give some planning to how this is configured; basic guidelines include making sure everything is applied through group permissions, and never over-granting privileges.
This is straightforward stuff for Microsoft folks, but it may not be as intuitive for administrators familiar with assigning roles in VMware.
Send me an e-mail, or post any tricks you’ve done with permissions for Hyper-V below, including some crafty Group Policy Objects.
Rick Vanover (vExpert, VCP, MCITP) is a Software Strategy Specialist for Veeam Software based in Columbus, Ohio. Rick's areas of expertise include virtualization, servers, storage and Windows systems. Read Rick's blogger disclosure here.