Managing User Roles

Article
04/29/2011

Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1

With System Center Virtual Machine Manager (VMM) 2008 and VMM 2008 R2, you manage the administrative permissions your users have by creating user roles. The profile of the user role determines what actions a user can perform. The scope of the user role determines which objects the users are able to manage. There are three user roles:

User Role	Permissions
Administrator	Able to perform all actions in the VMM Administrator Console. Members of this user role can create new Delegated Administrator and Self-Service user roles. Only members of the Administrator user role can add additional members. Note The Administrator user role is created when you install VMM. By default, the user who performs the VMM installation is added to the Administrator user role and all accounts in the local Administrators security group are also automatically added.
Delegated Administrator	Able to perform most actions in the VMM Administrator Console, but only within the scope defined in the role. Members of this user role can create new Delegated Administrator and Self-Service user roles but cannot modify VMM settings.
Self-Service User	Able to use the VMM Self-Service Portal to perform tasks on their virtual machines as defined in the user role. Members of this user role cannot create new user roles.

Administrator

Able to perform all actions in the VMM Administrator Console. Members of this user role can create new Delegated Administrator and Self-Service user roles. Only members of the Administrator user role can add additional members.

Note

The Administrator user role is created when you install VMM. By default, the user who performs the VMM installation is added to the Administrator user role and all accounts in the local Administrators security group are also automatically added.

Delegated Administrator

Able to perform most actions in the VMM Administrator Console, but only within the scope defined in the role. Members of this user role can create new Delegated Administrator and Self-Service user roles but cannot modify VMM settings.

Self-Service User

Able to use the VMM Self-Service Portal to perform tasks on their virtual machines as defined in the user role. Members of this user role cannot create new user roles.

Important

In VMM 2008 R2, VMM preserves changes made to role definitions or role memberships in the root scope of the Hyper-V authorization store. All changes to any other scope are overwritten every half hour by the VMM user role refresher. This differs from user role processing in VMM 2008. In VMM 2008, VMM determines access to virtual machines, hosts, and resources based solely on the rights and permissions associated with VMM user roles. VMM 2008 does not make any changes to Hyper-V role definitions and role memberships; it simply ignores the Hyper-V authorization store while the hosts and virtual machines are under its management.

For more information about user roles and scopes, see Role-Based Security in VMM (https://go.microsoft.com/fwlink/?LinkId=119337).

Managing User Roles

See Also

Concepts

Other Resources

Additional resources