A. By default, Authorization Manager's configuration has one scope that covers all VMs. You can define additional scopes and then create role definitions and assignments within that scope. We then need to assign the scope to specific VMs.
To create a new scope, simply select New Scope... from the Actions under Hyper-V services. Give the scope a name, such as Client_Virtuals, and a description and click OK.
Once the scope is created, you can create roles and assign them as per the normal Hyper-V services. Note that you can add the role definitions defined at the Hyper-V services level to roles within a scope to save having to duplicate the selection of operations that are related to a role. You can also directly assign roles defined at the Hyper-V services level to people within the scope, but these people will only have permission on virtuals that are part of this scope. In the example below I used the Administrator Role Definition that is part of Hyper-V services and granted it to user Clark within the Client_Virtuals scope.
 |
Click to expand |
Finally, link this scope to a VM. There's no way of doing this in the GUI, you must use the Hyper-V WMI interface. Use the script below:
' hvscopeset.vbs John Savill
If Wscript.Arguments.Count < 1 Then
Wscript.Echo "Arguments \[\] required. For example:" & vbCrLf _
& "cscript hvscopeset.vbs savdalvs01 Client_Scope"
Wscript.Quit(0)
End If
strVMName = Trim(Wscript.Arguments(0))
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "\{impersonationLevel=impersonate\}!\\" _
& strComputer & "\root\Virtualization")
Set objMsvm_VirtualSystemManagementService = objWMIService.ExecQuery( _
"SELECT * FROM Msvm_VirtualSystemManagementService").ItemIndex(0)
Set objVM = (objWMIService.ExecQuery( _
"SELECT * FROM Msvm_ComputerSystem WHERE ElementName='" & strVMName & "'")).ItemIndex(0)
Set objMSVM_VirtualSystemGlobalSettingData = (objVM.Associators_("MSVM_ElementSettingData", _
"MSVM_VirtualSystemGlobalSettingData")).ItemIndex(0)
If Wscript.Arguments.Count > 1 Then
strScope = Trim(Wscript.Arguments(1))
objMSVM_VirtualSystemGlobalSettingData.ScopeOfResidence=strScope
intResult = objMsvm_VirtualSystemManagementService.ModifyVirtualSystem(objVM.Path_.Path, _
objMSVM_VirtualSystemGlobalSettingData.GetText_(1))
If intResult <> 0 Then
WScript.Echo "Error - " & intResult
End If
End If
'List out scopes
Set objMSVM_VirtualSystemGlobalSettingData = (objVM.Associators_("MSVM_ElementSettingData", _
"MSVM_VirtualSystemGlobalSettingData")).ItemIndex(0)
Wscript.Echo strVMName & " in scope " & objMSVM_VirtualSystemGlobalSettingData.ScopeOfResidence
To use the script, just pass the name of the VM and the scope to add to. If you don't pass the name of a scope, it will just list out the scope the VM is currently in. If you pass two double quotes ("") as the scope, it will remove the VM from the scope.
D:\Temp>cscript hvscopeset.vbs savtstdc01 Client_Virtuals Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. savtstdc01 in scope Client_Virtuals D:\Temp>cscript hvscopeset.vbs savtstdc01 Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. savtstdc01 in scope Client_Virtuals
Be aware that if you set permissions on a VM scope, you still need the user to have the Allow Input to Virtual Machine, Allow Output from Virtual Machine, and Read Service Configuration operations at the Hyper-V services scope level from the Hyper-V MMC snap-in to show information correctly.
In the screenshot shown here, you can see the various scopes I created and assigned so the user named Clark can only manage one of the VMs. As you can see, I have a ViewStatus role, which has only read service and I/O to VMs, and a ControlVM role, which can stop, start, pause, resume VMs. I assign the ViewStatus at the Hyper-V Services scope level then the ControlVM role at the Client_Virtuals scope level, which means Clark can only control the VMs in the Client_Virtuals scope. |
Click to expand |
- Q. What is Microsoft Enterprise Desktop Virtualization (MED-V)?
- Q. Why isn't virtualization supported for the Exchange Server 2007 Unified Messaging (UM) server role?
- Four for Free: No-Cost Virtualization Tools and Utilities
- More virtualization articles
Videos:
- Perform a Physical to Virtual (P2V) Migration with SCVMM 2008
- Perform a Virtual to Virtual (V2V) Migration with SCVMM 2008
- Virtual Desktop Infrastructure Introduction
- Virtualization and Hyper-V Architecture Fundamentals
Audio:
Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.