about_VMM_2012_Role_Based_Security

Updated: January 15, 2013

Applies To: System Center 2012 - Virtual Machine Manager, System Center 2012 SP1 - Virtual Machine Manager

about_VMM_2012_Role_Based_Security

TOPIC
    about_VMM_2012_Role_Based_Security

SHORT DESCRIPTION
    Provides an overview of role-based security in Virtual Machine Manager
    (VMM) for System Center 2012 and the VMM command-line interface.

LONG DESCRIPTION
    VMM for System Center 2012 adds private cloud management capabilities to 
    Delegated Administrator user roles, introduces Read-only Administrator 
    user roles, and enhances the capabilities granted to Self-Service User 
    user roles. The following summarizes new and existing capabilities of each
    user role in VMM for System Center 2012.

    - Administrator. Members of the Administrator user role can perform all 
      administrative actions on all objects that VMM for System Center 2012
      manages.

    - Delegated Administrator. Members of Delegated Administrator user roles
      can perform all administrative tasks of a full administrator within their
      assigned host groups, private clouds, and library servers. VMM for System
      Center 2012 grants the following new capabilities to delegated
      administrators:

      - Create Self-Service User roles for their assigned private clouds.

      - Configure update baselines, and scan and remediate updates on host 
        groups and library servers that are within the scope of their user
        role.

      - Provision Hyper-V hosts from bare-metal computers.

      - Configure storage resources within their assigned host groups by 
        discovering and importing storage information from storage arrays and
        pools, classifying storage, and allocating LUNs and storage pools to 
        host groups.

      - Provision network resources by configuring logical networks, IP address
        pools, MAC pools, load balancers, and virtual (VIP) templates.
        Delegated administrators can also provision virtual networks, and 
        virtual and physical network adapters within their assigned host
        groups. For more information about virtual networking, see 
        about_VMM_2012_VirtualNetworking.

    - Read-Only Administrator. Members of the new Read-Only Administrators user 
      role can view status, job status, and properties of objects within their 
      assigned host groups, private clouds, and library servers. However, Read-
      Only Administrators cannot perform actions on these objects. The user 
      role specifies the templates, profiles, and Run As accounts that the 
      Read-only administrator can view. Read-only administrators can see the
      account names associated with assigned Run As accounts, but do not have
      access to the passwords.

    - Self-Service User. Members of Self-Service User roles create, deploy, and
      manage their own virtual machines and services by using the VMM console
      or a Web portal. The user role specifies the private clouds to which
      their virtual machines and services are deployed and the actions that the
      users can take; grants access to logical and physical resources in the
      library and on their own user data paths; sets quotas on virtual machines
      and computing resources; and specifies whether PRO tips can be viewed and
      implemented. VMM for System Center 2012 grants the following new 
      capabilities to self-service users, such as deploying virtual machines to
      clouds and the ability to share the resources they own with other self-
      service users. For more information about the capabilities of self-
      service users, see "Configuring Self-Service in VMM" in the TechNet 
      Library at https://go.microsoft.com/fwlink/?LinkID=212405.

  Creating and Managing User Roles

      You can create a new user role through the VMM command shell by using
      the New-SCUserRole cmdlet. To update user roles, use the Set-SCUserRole
      cmdlet. 

      In VMM for System Center 2012, you can use the Get-SCUserRoleMembership
      cmdlet to get information about the user roles for a specified user.

SEE ALSO
    about_VMM_2012
    about_VMM_2012_Cmdlet_and_Parameter_Name_Mapping
    about_VMM_2012_Cmdlet_Backward_Compatibility
    about_VMM_2012_Run_As_Accounts
    New-SCUserRole
    Set-SCUserRole
    Get-SCUserRoleMembership