Creating User Roles in VMM
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Virtual Machine Manager, System Center 2012 R2 Virtual Machine Manager, System Center 2012 - Virtual Machine Manager
You can create user roles in Virtual Machine Manager (VMM) to define the objects that users can manage and the management operations that users can perform. The following table summarizes the capabilities of each user role in VMM.
|VMM User Role||Capabilities|
|Administrator||Members of the Administrators user role can perform all administrative actions on all objects that VMM manages.|
Administrators have sole responsibility for these features of VMM:
- Only administrators can add stand-alone XenServer hosts and XenServer clusters (known as pools) to VMM management.
- Only administrators can add a Windows Server Update Services (WSUS) server to VMM to enable updates of the VMM fabric through VMM.
To change the members of the Administrator user role, see How to Add Users to the Administrator User Role in VMM.
|Fabric Administrator (Delegated Administrator)||Members of the Delegated Administrator user role can perform all administrative tasks within their assigned host groups, clouds, and library servers, except for adding XenServer and adding WSUS servers. Delegated Administrators cannot modify VMM settings, and cannot add or remove members of the Administrators user role.|
To create a delegated administrator, see How to Create a Delegated Administrator User Role in VMM.
|Read-Only Administrator||Read-only administrators can view properties, status, and job status of objects within their assigned host groups, clouds, and library servers, but they cannot modify the objects. Also, the read-only administrator can view Run As accounts that administrators or delegated administrators have specified for that read-only administrator user role.|
To create a read-only administrator, see How to Create a Read-Only Administrator User Role in VMM.
|Tenant Administrator||As of VMM in System Center 2012 Service Pack 1 (SP1), you can create Tenant Administrator user roles.|
Members of the Tenant Administrator user role can manage self-service users and VM networks. Tenant administrators can create, deploy, and manage their own virtual machines and services by using the VMM console or a web portal. Tenant administrators can also specify which tasks the self-service users can perform on their virtual machines and services. Tenant administrators can place quotas on computing resources and virtual machines.
To create a tenant administrator, see How to Create a Tenant Administrator User Role in VMM.
|Application Administrator (Self-Service User)||Members of the Self-Service User role can create, deploy, and manage their own virtual machines and services by using the VMM console or a Web portal.|
To create a self-service user, see How to Create a Self-Service User Role in VMM.
If you grant rights for a particular template to a user that does not have rights to the Run As account that the template is configured with, then the user can potentially extract the credentials for the Run As account from the template.
As of System Center 2012 R2, VMM administrators can use the Create User Role Wizard to configure user roles with a set of permitted actions on a per-cloud basis in addition to the global settings. These settings apply only to the tenant administrator and the self-service user roles. With these settings, the user’s effective permitted actions for a given cloud are the combination of their global permitted actions and cloud permitted actions.