Not long ago, the people within an organization could be classified as either administrators or users, although...
there were sometimes varying degrees of each. Today, things aren't so simple. The proliferation of clouds, both public and private, has forced organizations to rethink the administrative model. After all, infrastructure as a service clouds commonly provide authorized users with the ability to create and manage their own virtual machines (VMs). So, how can administrators provide an authorized user with limited administrative capabilities without handing them the keys to the kingdom?
Every virtualization vendor has its own solution, but that approach is commonly based on specialized permissions. Microsoft, for example, provides administrators with the ability to define private cloud user roles.
User roles are a mechanism within System Center Virtual Machine Manager (SCVMM) that allows administrators to grant very specific management capabilities to a collection of users. In some ways, a user role is similar to an Active Directory security group because user roles are used as a way to convey permissions to a group of users. However, Active Directory security groups are often used to grant access to files and folders (among many other things), whereas SCVMM user roles exist solely to provide virtualization-level administrative permissions.
You can define private cloud user roles through SCVMM's Create User Role Wizard. Like creating an Active Directory security group, the first step in creating a user role is providing a name for it.
The next thing you will have to do is select a role profile. A role profile is used to control the types of administrative actions that the role members will be able to perform. SCVMM allows you to choose from four different role profiles, as shown in Figure A.
The first available role profile is Fabric Administrator. A Fabric Administrator is the highest level administrative role that can be assigned to a user. A Fabric Administrator is very similar to a Virtual Machine Manager Administrator, but there are a few key differences. A Virtual Machine Manager Administrator is a member of the IT staff who is responsible for managing and maintaining the virtualization infrastructure. A Fabric Administrator is limited to performing administrative tasks within a predefined scope. Furthermore, a Fabric Administrator cannot modify Virtual Machine Manager settings or add or remove users from the administrator role group.
The second role profile that is available is the Read Only Administrator. A user that has been assigned the Read Only Administrator profile can view things, such as objects and properties, but are not allowed to make any modifications. Read Only capabilities are most suitable for auditors and for trainees who are learning how SCVMM works.
The third available role profile is a Tenant Administrator. The Tenant Administrator role can be thought of as a private cloud administrator. This profile allows role members to manage resources, such as VMs, self-service users and VM networks within a designated scope.
The last available role profile is an Application Administrator. Application Administrators are sometimes referred to as self-service users. Self-service users are able to create, deploy and manage VMs within the designated scope.
It is important to understand that there is more to creating a user role than simply specifying a role profile and assigning members to the role. Creating a user role also requires you to specify a scope for the role. The scope controls the objects to which the role profile applies. For instance, the scope setting can be used to specify which private clouds the role members have permission to administer.
It is also worth noting that you can set quotas for the scope. These quotas can be configured on a per member basis and a per user role basis, and can control resource consumption. For example, you could limit each member of a user role to creating five VMs, or you could limit all role members to collectively creating no more than 25 VMs. Quotas can be granular and can be used to limit the consumption of memory, storage, virtual CPUs, etc.
The Create User Role Wizard also allows you to specify which resources you want to allow members to be able to use. You can limit access to certain VM networks or VM templates. You also have the ability to control the types of actions that you want role members to be able to perform against VMs. For instance, if role members have the ability to create virtual Exchange Servers, then you might want to remove the ability to create and restore checkpoints (snapshots), since VM snapshots can adversely affect Exchange Server.
Private or hybrid cloud environments force administrators to rethink the administrative model. Some users will likely need to be able to perform tasks such as creating VMs, but it would be extremely risky to give such users unrestricted access to your entire virtualization infrastructure. The ability to define private cloud user roles allows you to provide users with the appropriate level of administrative access, but without granting excessive permissions.