Set-SCUserRole
Set-SCUserRole
Modifies the settings for an existing VMM user role.
Syntax
Parameter Set: Default
Set-SCUserRole [-AddMember <String[]> ] [-AddScope <ClientObject[]> ] [-Description <String> ] [-JobGroup <Guid> ] [-JobVariable <String> ] [-Name <String> ] [-Permission {Create | PauseAndResume | Start | Stop | AllowLocalAdmin | RemoteConnect | Remove | Shutdown | Checkpoint | Store | Save | Author | CanShare | CanReceive | CreateFromVHDOrTemplate | CheckpointRestoreOnly | AuthorVMNetwork}[] ] [-PROTipID <Guid> ] [-RemoveLibraryStoreSharePath] [-RemoveMember <String[]> ] [-RemoveScope <ClientObject[]> ] [-RemoveVMNetworkMaximum] [-RemoveVMNetworkMaximumPerUser] [-RunAsynchronously] [-ShowPROTips <Boolean> ] [-UserRole <UserRole> ] [-UserRoleDataPath <String> ] [-VMMServer <ServerConnection> ] [-VMNetworkMaximum <UInt16> ] [-VMNetworkMaximumPerUser <UInt16> ] [ <CommonParameters>]
Detailed Description
The Set-SCUserRole cmdlet modifies the settings for an existing Virtual Machine Manager (VMM) user role. The settings that you can modify depend on the type of VMM user role.
VMM ADMINISTRATOR (Administrator)
---------------------------------
You can add members to or remove members from the Administrator user role, but you cannot limit the scope of objects that members of this role can manage.
DELEGATED ADMINISTRATOR (DelegatedAdmin)
----------------------------------------
You can add members to and remove members from, and you can expand or restrict the scope of a Delegated Administrator user role. You can grant members of this user role permission to manage all of the objects in one or more private clouds and host groups and/or allow users to manage all of the objects stored on one or more library servers. Within that framework, you cannot limit the actions that members of the Delegated Administrator user role can perform.
READ-ONLY ADMINISTRATOR (ReadOnlyAdmin)
-----------------------------------
You can add members to and remove members from, and you can expand or restrict the scope of a Read-Only Administrator User role. However, the members of the user role can only view the properties, status, and job status of the objects within their assigned scope; they cannot modify any of the objects.
SELF-SERVICE USER (SelfServiceUser)
-----------------------------------
You can add members to or remove members from, and you can expand or limit the scope and actions of members of a Self-Service User role. You can grant members of a self-service user role permission to manage all of the objects in one or more private clouds; permission to create virtual machines; permission to store virtual machines in the stored virtual machine path in the cloud that the virtual machine is on; and permission to use one or more template objects to create virtual machines. Within that framework, you can grant members of a Self-Service User role one or more actions that self-service users can take. You can also limit the number of virtual machines that self-service users can create by setting a quota that applies to each user or to all users collectively.
The actions that you can grant a Self-Service user include the following:
ActionDescription
-----------------------
AllowLocalAdminGrants user local administrator rights on virtual
machines
AuthorAuthor virtual machine and service templates
CanShareShare resources with other Self-Service users
CanReceiveReceive resources from other Self-Service users
CheckpointCreate and manage virtual machine checkpoints
CheckpointRestoreOnly Can only restore a checkpoint
CreateCreate virtual machines and services from templates
only
CreateFromVHDOrTemplate Create virtual machines and services from VHD
files or templates
PauseAndResumePause and resume virtual machines and services
RemoteConnectRemotely connect to virtual machines
RemoveRemove virtual machines and services
SaveSave virtual machines and services
ShutdownShut down virtual machines
StartStart virtual machines and services
StopStop virtual machines and services
StoreStore virtual machines in a library
Parameters
-AddMember<String[]>
Adds one or more members to an object that has the concept of members, such as a group. For example, AddMember adds one or more Active Directory domain users or groups to a user role.
Example formats:
-AddMember Domain\User
-AddMember User
-AddMember User@Domain
-AddMember Domain\LabGroupAlias
-AddMember LabGroupAlias (an Active Directory security group, not an email alias)
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-AddScope<ClientObject[]>
Adds one or more VMM objects to the scope of objects that members of this user role can manage.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Description<String>
States a description for the specified object.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-JobGroup<Guid>
Specifies an identifier for a series of commands that will run as a set just before the final command that includes the same job group identifier runs.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-JobVariable<String>
Specifies that job progress is tracked and stored in the variable named by this parameter.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Name<String>
Specifies the name of a VMM object.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Permission<SelfServicePermission[]>
Specifies the actions that members of a Self-Service User role can perform on their virtual machines or services.
Valid values are: AllowLocalAdmin, Author, CanShare, CanReceive, Checkpoint, CheckpointRestoreOnly, Create, CreateFromVHDOrTemplate, PauseAndResume, RemoteConnect, Remove, Save, Shutdown, Start, Stop, Store.
Giving CreateFromVHDOrTemplate permission also gives Create permission. Giving Checkpoint permission also gives CheckpointRestoreOnly permission.
Example format: -Permission Create,PauseAndResume,Stop
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-PROTipID<Guid>
Specifies the ID of the PRO tip that triggered this action. This allows for auditing of PRO tips.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RemoveLibraryStoreSharePath
Clears the user role data path for a self-service user.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RemoveMember<String[]>
Removes a member from a VMM object that has the concept of membership, such as a group. For example, RemoveMember removes one or more Active Directory domain users or groups from a user role.
Example formats:
-RemoveMember Domain\User
-RemoveMember User
-RemoveMember User@Domain
-RemoveMember Domain\LabGroupAlias
-RemoveMember LabGroupAlias (an Active Directory security group, not an email alias)
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RemoveScope<ClientObject[]>
Removes one or more VMM objects from the scope of objects that members of this user role can manage.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RemoveVMNetworkMaximum
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RemoveVMNetworkMaximumPerUser
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-RunAsynchronously
Indicates that the job runs asynchronously so that control returns to the command shell immediately.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ShowPROTips<Boolean>
Indicates whether to show PRO tips. This parameter only applies to Self-Service User roles.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-UserRole<UserRole>
Specifies a user role object.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
True (ByValue) |
Accept Wildcard Characters? |
false |
-UserRoleDataPath<String>
Specifies the path to a library share that members of a Self-Service User role can use to upload their data.
Example format: "\\LibraryServerName\LibraryShareName"
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-VMMServer<ServerConnection>
Specifies a VMM server object.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-VMNetworkMaximum<UInt16>
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-VMNetworkMaximumPerUser<UInt16>
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
Outputs
The output type is the type of the objects that the cmdlet emits.
- UserRole
Examples
1: Add the specified users to the VMM Administrator user role.
The first command gets the user role object named Administrator and stores the object in the $UserRole variable.
The second command adds User1 and User2, both members of the Contoso.com domain, to the Administrator user role.
PS C:\> $UserRole = Get-SCUserRole -Name "Administrator"
PS C:\> Set-SCUserRole -UserRole $UserRole -AddMember Contoso\User1,Contoso\User2
2: Add the specified users to the Administrator role in a single command.
This command gets all user role objects from VMMServer01, selects the user role objects whose profile is Administrator, and then adds User3 to the Administrator user role.
PS C:\> Get-SCUserRole -VMMServer "VMMServer01.Contoso.com" | where { $_.Profile -eq "Administrator" } | Set-SCUserRole -AddMember Contoso\User3
3: Modify an existing self-service user role by adding a cloud to its scope.
The first command gets the cloud object named Cloud02 and stores the object in the $Cloud variable.
The second command gets the user role object named ContosoSelfServiceUsers and stores the object in the $UserRole profile.
The last command modifies the scope of the user role stored in $UserRole (ContosoSelfServiceUsers) by adding the cloud stored in $Cloud to its scope.
PS C:\> $Cloud = Get-SCCloud -Name "Cloud02"
PS C:\> $UserRole = Get-SCUserRole -Name "ContosoSelfServiceUsers"
PS C:\> Set-SCUserRole -UserRole $UserRole -AddScope $Cloud
4: Remove the specified user from the Administrator user role.
The first command gets the user role object named Administrator and stores the object in the $UserRole variable.
The secondt command removes User01, who is a member of the Contoso.com domain, from the Administrator user role.
PS C:\> $UserRole = Get-SCUserRole -Name "Administrator"
PS C:\> Set-SCUserRole -UserRole $UserRole -RemoveMember Contoso\User1
5: Add a cloud to the scope of a self-service user role.
The first command gets the cloud object named Cloud03 and stores the object in the $Cloud variable.
The second command gets the user role object named ContosoSelfServiceUsers and then passes the user role object to the Set-SCUserRole cmdlet. The Set-SCUserRole cmdlet adds the cloud stored in $Cloud to the user role.
PS C:\> $Cloud = Get-SCCloud -Name "Cloud03"
PS C:\> Get-SCUserRole -Name "ContosoSelfServiceUsers" | Set-SCUserRole -AddScope $Cloud
6. Modify what actions members of a self-service user role can take on their virtual machines.
The first command gets the user role object on VMMServer01 named ContosoSelfServiceUsers and stores the object in the $UserRole variable.
The second command modifies the permissions for members of the user role stored in $UserRole (ContosoSelfServiceUsers) to allow Creation, PauseAndResume, Stop, AllowLocalAdmin and Store permissions.
To list all available permissions that you can specify for self-service users, type:
PS C:\> [enum]::GetValues([Microsoft.VirtualManager.Remoting.SelfServicePermission])
You can specify the following permissions with the -Permission parameter:
PERMISSION ALLOWED ACTIONS
---------- ---------------
Create Create virtual machines and services from VHDs or
Templates
PauseAndResume Pause and resume virtual machines and services
Start Start virtual machines and services
Stop Stop virtual machines and services
AllowLocalAdmin Act as local Administrator on virtual machines
RemoteConnect Access virtual machines remotely
Remove Remove virtual machines and services
Shutdown Shut down virtual machines
Checkpoint Create and manage virtual machine checkpoints
Store Store virtual machines in the library
Save Save virtual machines and services
Author Author virtual machine and service templates
CanShare Share resources with other self-service users
CanReceive Receive resources from other self-service users
CreateFromVHDorTemplate Create virtual machines and services from VHDs or
Templates
CheckpointRestoreOnly Restore to but cannot create virtual machine
checkpoints
PS C:\> $UserRole = Get-SCUserRole -VMMServer "VMMServer01.Contoso.com" -Name "ContosoSelfServiceUsers"
PS C:\> Set-SCUserRole -UserRole $UserRole -Permission "Create,PauseAndResume,Stop,AllowLocalAdmin,Store"