Using Authorization Manager for Hyper-V Security
Updated: February 4, 2009
Applies To: Windows Server 2008
You use Authorization Manager to provide role-based access control for Hyper-V. For instructions on implementing role-based access control, see Configure Hyper-V for Role-based Access Control. For more information about getting started with Authorization Manager, see Appendix B: Authorization Manager Terminology and Checklist: Before you start using Authorization Manager (http://go.microsoft.com/fwlink/?LinkId=134197).
Authorization Manager is comprised of the following:
Authorization Manager snap-in (AzMan.msc). You can use the Microsoft Management Console (MMC) snap-in to select operations, group them into tasks, and then authorize roles to perform specific tasks. You also use it to manage tasks, operations, user roles, and permissions. To use the snap-in, you must first create an authorization store or open an existing store. For more information, see http://go.microsoft.com/fwlink/?LinkId=134086.
Authorization Manager API. The API provides a simplified development model in which to manage flexible groups and business rules and store authorization policies. For more information, see Role-based Access Control (http://go.microsoft.com/fwlink/?LinkId=134079).
Authorization Manager requires a data store for the policy that correlates roles, users, and access rights. This is called an authorization store. In Hyper-V, this data store can be maintained in an Active Directory database or in an XML file on the local server running the Hyper-V role. You can edit the store through the Authorization Manager snap-in or through the Authorization Manager API, which are available to scripting languages such as VBScript.
If an Active Directory database is used for the authorization store, Active Directory Domain Services (AD DS) must be at the Windows Server 2003 functional level.
The XML store does not support delegation of applications, stores, or scopes because access to the XML file is controlled by the discretionary access control list (DACL) on the file, which grants or restricts access to the entire contents of the file. (For more information about Authorization Manager delegation, see http://go.microsoft.com/fwlink/?LinkId=134075). Because of this, if an XML file is used for the authorization store, it is important that it is backed up regularly. The NTFS file system does not support applications issuing a sequence of separate write operations as a single logical write to a file when multiple applications write to the same file. This means an Authorization Manager policy file (XML file) could be edited simultaneously by two administrative applications and could become corrupted. The Hyper-V VSS writer will back up the authorization store with the server running the Hyper-V role.