Q: Does Microsoft provide a mechanism to restrict which administrators can manage a particular Hyper-V virtual machine (VM)? I want to make sure that VM administrators can only manage their VMs and can't touch the parent partition.

A: You can use the Authorization Manager (AzMan) to define specific roles for VM administrators on a Hyper-V server, and to ensure that they have permissions only for their respective VMs.

Microsoft introduced AzMan in Windows Server 2003 to let developers and administrators easily add role-based access control (RBAC) rules to their applications. Unfortunately, few Windows administrators have used AzMan and know how to configure it. For an excellent description of how to set up AzMan for delegating permissions on a Hyper-V server, see this blog.

In this context, it's worth mentioning System Center Virtual Machine Manager (VMM), Microsoft’s enterprise management solution for virtualization servers and VMs. VMM reduces the complexity of configuring and managing AzMan authorization rules. More information about VMM is available on Microsoft's site.

Related Reading:
  • Securing Hyper-V
  • Q. Where can I read the Microsoft Hyper-V Security Guidelines?
  • Running SQL Server on Hyper-V
  • Windows Server 2008 Hyper-V
  • Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.