Required Rights and Permissions for VMM Administrative Tasks
Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1
The following table is a reference to the rights and permissions, both within and outside System Center Virtual Machine Manager (VMM), that are required to perform common administrative tasks. Within VMM, role-based security determines the VMM operations that a person can perform and the objects on which the operations can be performed. For more information, see Role-Based Security in VMM.
| VMM Administrative Task | Required Rights and Permissions |
|---|---|
Install the VMM server |
Domain account that is a member of the local Administrators group. |
Configure a remote instance of SQL Server for the VMM database |
Domain account that is a member of the sysadmin server role on the remote instance of SQL Server. |
Install a VMM Administrator Console |
Member of the local Administrators group on client computer. |
Use the VMM Administrator Console |
Member of the Administrator role or a Delegated Administrator role in VMM. Delegated administrators see only objects with the host groups (and child host groups) and library servers assigned to their role. Members of Self-Service User roles do not have access to the VMM Administrator Console. |
Use a Windows PowerShell – Virtual Machine Manager command shell |
Member of any user role in VMM. Delegated administrators perform operations on objects within the scope of their role (host groups and their children, and library servers). Members of a self-service user role can perform allowed operations on their own virtual machines by using templates assigned to the role and ISO images that are stored on the library path assigned to the role. |
Install the VMM Self-Service Portal |
Administrator account on the local computer and a domain account that is a member of the VMM Administrator role. |
Log on to the VMM Self-Service Portal |
Member of a Self-Service User role in VMM. VMM administrators do not have access to the Self-Service Portal. The VMM Self-Service Portal gives self-service users a restricted view of the virtual machines that they own and the operations that their user role allows them to perform. If the role allows virtual machine creation, they see only the templates assigned to their role and ISO images stored on the library share assigned to the role. |
Install a VMM agent locally on a virtual machine host |
Administrator account on the virtual machine host computer. |
Add a Hyper-V or Virtual Server host |
Domain account that is a member of the Administrator role or a Delegated Administrator role in VMM and that also is a member of the local Administrators group on the host. Delegated administrators can add hosts to the host groups assigned to their role or child host groups of those host groups. For more information about Delegated Administrator roles, see Role-Based Security in VMM. |
Add a VMware VirtualCenter server |
Domain account that is a member of the Administrator user role in VMM and a member of the local Administrators group on the library server. |
Configure security for a managed VMware ESX Server host |
Member of the Administrator role or a Delegated Administrator role in VMM. Domain or local account must have virtual machine delegate credentials on the host. Secure mode also requires the following:
|
Add a VMM library server |
Domain account that is an Administrator on the library server and is a member of the Administrator role or a Delegated Administrator role in VMM. |
Add files to a VMM library share |
Write permission on the library share folder (set outside VMM). To add resources to the VMM library, add the files to the library share and then refresh the share in VMM or wait for the next scheduled refresh (by default, once per hour). |
Manually refresh a VMM library share or library server |
VMM Administrator role or a Delegated Administrator role to which the library server is assigned. |
Import VMware templates into the VMM library |
Member of the Administrator role or a Delegated Administrator role in VMM. Security must have been configured for the VMware ESX Server host. For delegated administrators, the ESX Server host and destination library server must be within the scope of their role. |
Convert a physical server to a virtual machine (P2V) |
Administrator account on the source computer that is a member of the Administrator role or a Delegated Administrator role in VMM. |
View and order reports in Reporting view |
Domain account that is a member of the Administrator role or a Delegated Administrator role in VMM and is a member of the Report Operator role in System Center Operations Manager 2007. |