Configure Hyper-V for Role-based Access Control

Applies To: Windows Server 2008

This topic describes how to configure role-based access control for virtual machines in Hyper-V. You use the Authorization Manager Microsoft Management Console (MMC) snap-in (AzMan.msc) to provide role-based access control for Hyper-V. For more information, see the following topics in this guide:

To implement role-based access control, you must first define scopes and then organize operations into groups to accomplish tasks. You assign tasks to roles, and then assign users or groups to the role. Any user assigned to a role can then perform all of the operations in all of the tasks that are assigned to the role.

There are four general steps to setting up role-based access control for Hyper-V:

  1. Define scope according to your organizational needs. For example, you can define scopes by geography, organizational structure, function (developer/test or production), or Active Directory Domain Services. For a sample script to create the scopes, see https://go.microsoft.com/fwlink/?LinkId=134074.

  2. Define tasks. In Authorization Manager, you cannot change or create new operations. However, you can create as many tasks as you want and then combine these into role definitions. For example tasks that you can use in your role definitions, see Appendix A: Example Authorization Manager Tasks and Operations.

  3. Create roles. For example, if you want to create an “IT Monitor” role that you can use to view properties of a virtual machine but not interact with the virtual machine, create a new task in Authorization Manager called “Monitor Virtual Machine”, with the following operations:

    • Read Service Configuration

    • View External Ethernet Ports

    • View Internal Ethernet Ports

    • View LAN Endpoints

    • View Switch Ports

    • View Switches

    • View Virtual Switch Management Service

    • View LAN Settings

  4. Assign users or groups to roles.

For example, assume you have two sets of virtual machines where one set belongs to the Human Resources department and the other set belongs to the Finance department. You want the virtual machine administrators for Human Resources to have full control over the virtual machines for that department, but to have no control over the virtual machines in Finance. You want the same arrangement for the virtual machine administrators for Finance—no access to the virtual machines in Human Resources. To accomplish this, you would define one role called “Departmental Virtual Machine Administrator”, define the appropriate tasks, and then assign each administrator to the “Departmental Virtual Machine Administrator” role assignment in the specific scope. You would scope the virtual machine administrators for Human Resources to the virtual machines in Human Resources and the virtual machine administrators for Finance to the virtual machines in Finance. Then, you would assign the virtual machines to their respective scopes.

Configuring role-based access control

Use the following procedures to set up role-based access control for virtual machines in Hyper-V.

Important

To complete these procedures, you must open Authorization Manager using an account that is a member of the Administrators group.

To create a scope

  1. Open Authorization Manager by running azman.msc from a command prompt.

    The default authorization policy is XML-based and stored at \ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml.

Note

Note that \ProgramData\ is in a hidden directory, you cannot browse to it. Type the location in Store Name in the Open Authorization Store dialog box.

  1. In the console tree, right-click Hyper-V services and then click New Scope.

  2. In the New Scope dialog box, in Name, type a name for the scope and then click OK.

  3. (Optional) In Description, type a description for the scope and then click OK.

    The description has a maximum size limit of 1024 bytes. Enter a description that will help you apply the scope to achieve your goal. For example, you can use a description to distinguish the Human Resources scope from the Finance scope.

To create a task

  1. Open Authorization Manager by running azman.msc from a command prompt.

  2. In the console tree, right-click the scope, and then click Definitions.

  3. In the console tree, right-click Task Definitions and then click New Task Definition.

  4. In the New Task Definition dialog box, in Name, type a name for the task.

  5. Click Add to bring up the Add Definition dialog box and click the Operations tab.

  6. In Operations, select each operation in the task, and then click OK.

To create a role

  1. Open Authorization Manager by running azman.msc from a command prompt.

  2. Expand the scope, click Definitions, right-click Role Definition, and then click New Role Definition.

    The description has a maximum size limit of 1024 bytes.

  3. In the New Role Definition dialog box, in Name, type a name for the role.

  4. In Description, type a description for the role and then click OK twice.

  5. (Optional) Click Add to specify the operations, tasks, roles, and authorization rules that you want to include, and then click OK twice.

To assign a role

  1. Open Authorization Manager by running azman.msc from a command prompt.

  2. Expand the scope, right-click Role Assignments, and click New Role Assignment.

  3. In the Add Role dialog box, check the role definitions to add and then click OK.

  4. Right-click the role, click Assign Users and Groups, and then click From Windows and Active Directory or From Authorization Manager.

  5. In the Select Users, Computers, or Groups dialog box, enter object names to select, and then click OK.

Additional resources