Comparison of Self-Service User Roles with Self-Service Policies

  • Article

Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1

The following table compares the features of self-service policies in System Center Virtual Machine Manager (VMM) 2007 with the features of the self-service user roles that replace them in VMM 2008. A few features, such as group ownership, are implemented differently in VMM 2008, and additional features have been added.

Note

If you retain the database from VMM 2007 when you install VMM 2008, the Setup Wizard automatically converts your existing self-service policies to self-service user roles with the same host group and library assignments.

Feature Self-Service Policy (VMM 2007) Self-Service User Role (VMM 2008)

Number of accounts

1 user account or 1 group account per policy.

n user and n group accounts per user role.

Number of host groups

1 host group per policy.

n host groups per user role.

Number of library paths

1 library path per policy.

1 library path per user role.

Number of templates

n templates per policy.

n templates per policy.

Template feature changes in VMM 2008:

  • Non-customized templates are available to enable creation of non-Windows-based virtual machines.

  • To make ISO images available to self-service users, you must store the image files in the library path specified in the self-service user role.

    Note

    In a Hyper-V environment, you must perform configuration updates on the library server to make the ISO images available for self-service. For more information, see Hardening VMM Library Servers.

Group ownership

Implemented through the Per User/Per Group setting of the policy.

  • Per group ownership—Group members can view and perform operations on virtual machines created by any group member. If the policy contains a virtual machine quota, an overall quota is applied to all virtual machines owned by members of the group.

  • Per user ownership—Individual users can view and perform operations on their own virtual machines only, and an individual quota is applied to virtual machines owned by each user.

Implemented through the Owner field on the virtual machine:

  • To achieve per user ownership, assign an individual user as the owner of a virtual machine.

  • To achieve per group ownership, a self-service user or administrator can change the owner of a virtual machine to a group rather than an individual. The group must be a member of the user role.

Virtual machine quotas

In a self-service policy, quota application depends on the type of ownership:

  • Group ownership applies an overall quota to all virtual machines deployed by members of the group.

  • Per user ownership applies an individual quota to the virtual machines owned by each user.

In a self-service user role, a quota is applied either per user role or per user:

  • Per user role setting applies an overall quota to all virtual machines deployed by all users who are granted rights through the self-service user role, whether through a user or group account.

  • Per user setting applies an individual quota to virtual machines deployed by each user who is granted rights through the self-service user role, whether through a user or group account.

    Note

    A separate quota is applied to virtual machines whose owner is the group.

Transfer of ownership

Self-service users cannot assign a different owner to their own virtual machines. Only virtual machine administrators can change the owner.

Self-service users can change the owner of their own virtual machines to any user or group that is a member of the user role.

Also, a user who belongs to multiple self-service user roles can assign a virtual machine to any user role to which he belongs as long as the virtual machine is within the scope (host groups and library share) of that user role.

Windows PowerShell – Virtual Machine Manager access

Not officially supported.

Self-service users can view their own virtual machines and view and run the Windows PowerShell – VMM cmdlets that perform the operations that their user role allows within the scope of their roles.

Note

To enable a self-service user to use cmdlets in the Windows PowerShell – Virtual Machine Manager command shell, you must install a VMM Administrator Console on the computer that the person will use. The command shell is installed along with the VMM Administrator Console. The self-service user will not have access to the VMM Administrator Console.

See Also

Concepts

Role-Based Security in VMM

Other Resources

Migrating to VMM 2008