In previous posts, I have shown how to create Azman scopes and roles to delegate administration of Hyper-V virtual machines to domain users. Now that we have an AzMan scope, let’s see how you can apply it to a virtual machine or set of virtual machines.
Note: In Hyper-V, there is no GUI interface to assign a scope to a VM, you need to use the Hyper-V WMI API
In my example scenario, I have a set of VMs prefixed with “01_”and I want to delegate administration of those VMs to Student01 and only this account can view those VMs in Hyper-V mmc console. In Prt 4 and Part 5, I already created a scope called 01_Scope and some role definitions. Let’s apply this cope to 01_ VMs.
Today, I will show you how to create an AzMan scope and role definition to manage Hyper-V Virtual machines.
As discussed in part 3, the ”Virtual Machine Manager Role” includes the following operations:
"Allow Input to Virtual Machine",
"Allow Output from Virtual Machine",
"Start Virtual Machine",
"Stop Virtual Machine",
"Pause and Restart Virtual Machine”
For this role, you create a new scope in AzMan, define the role and assign it to users inside this scope.
Step-by-Step
Open a new MMC console. In the main window, click File –> Add/Remove snapin…. Add “Authorization Manager” to the console.
Back to the console, right click the node Authorization Manager and select Open Authorization Store…” In the dialog box, ensure that option “Xml file” is selected, and click Browse. In the ‘browse” window, in the “file Name’ text box, type in C:\ProgramData\Microsoft\Windows\Hyper-V and select Initialstore.xml. Your mmc should look like this one:
Expand the hierarchy and right click Hyper-V Services and select New Scope. In the dialog box, fill out the name as “01_scope” and click OK.
Under 01_Scope –> Definitions, right click Role Definitions and select New Role Definition. In the dialog box, fill out the name a “Virtual Machine Manager Role” and click Add…
In the Add Definition dialog box, click the “Operations” tab, then add the 2 operations specified above. Your screen should look like this one.
Under 01_Scope , right click Role Assignments and select New Role Assignment. In the Add Role dialog box, select “Virtual Machine Manager Role”. Click OK.
Back to the console, right click “Virtual Machine Manager Role” and select Assign Users and Groups –> From Windows and Active Directory and specify Student01 as for my scenario.
In summary ,you have defined 2 roles in Azman and assign those roles to an user called Student01
Hyper-V Manager Role defined at the default scope ,i.e Hyper-V Services
Virtual Machine Manager role defined inside the 01_scope.
The Hyper-V Azman configuration should look like this one:
Note: Instead of assigning roles to user accounts, you can assign roles to a Windows Security group. For example, in my training environment, I create a SG called AllStudents and assign the Hyper-V Manager role to this SG.
Now that you have a good understanding of AzMan, let’s implement a simple delegation model of Hyper-V. I use the following scenario as example. In my training labs, I have a group of students ( Student01, Student02….) to whom I assign a set of VMs as follow: Student01 will get and can only manage 01_ VMs , Student02 will get 02_ VMs…
Basic AzMan roles
To delegate administration of a selected virtual machine to a user, an administrator needs to:
Create specific AzMan roles and scope
Apply scope to designated VMs
You need to define at least the following roles:
“Hyper-V Manager Role”. This role includes the operations “Read Service Configuration” and “”View Virtual Switch Management”. The role is assigned to all users who want to connect to a Hyper-V host from the Hyper-V Manager Console. If a user is not assigned this role from AzMan, it will get an error message in the Hyper-V mmc stating that the credentials do not have sufficient permissions to connect to the service. Finally, as this role is used to define permissions to connect to the Virtual Machine Management Service, you create the role and assign users at the default scope of Hyper-V in AzMan. Note: Name of the role is defined by the administrator. However, names of the operations are pre-defined and you must select the right operations when creating the role.
“Virtual Machine Manager Role”. This role includes the following operations:
"Allow Input to Virtual Machine",
"Allow Output from Virtual Machine",
"Start Virtual Machine",
"Stop Virtual Machine",
"Pause and Restart Virtual Machine”
For this role, you create a new scope in AzMan, define the role and assign it to users inside this scope and not at the default scope level.
Step-by-Step
In this section,I will show you how to create the roles in AzMan.
Open a new MMC console. In the main window, click File –> Add/Remove snapin…. Add “Authorization Manager” to the console.
Back to the console, right click the node Authorization Manager and select Open Authorization Store…” In the dialog box, ensure that option “Xml file” is selected, and click Browse. In the ‘browse” window, in the “file Name’ text box, type in C:\ProgramData\Microsoft\Windows\Hyper-V and select Initialstore.xml. Your mmc should look like this one:
Expand the hierarchy and right click Role Definitions and select New Role Definition. In the dialog box, fill out the name a “Hyper-V Manager Role” and click Add…
In the Add Definition dialog box, click the “Operations” tab, then add the 2 operations specified above. Your screen should look like this one.
Now create a domain user named Student01. Use runas to open a MMC console with Student01’s credential. Add Hyper-V Manager snap-in to this console and try to connect to the local Hyper-V hot system. You should see the error like this one:
Switch back to the Azman console. You will now assign this role to Student01. Right click Role Assignments and select New Role Assignment. In the Add Role dialog box, select “Hyper-V Manager Role”. Click OK.
Back to the console, right click “Hyper-V Manager Role” and select Assign Users and Groups –> From Windows and Active Directory and specify Student01 as for my scenario.
Switch back to the Hyper-V console run under Student01’s profile, hit F5 to refresh, the error message should disappear!
You have successfully created the Hyper-V Manager Role. Bravo!
Today, let’s discuss about basic Hyper-V operations defined in AzMan.
Displaying Hyper-V Operations
As explained in previous posts, all pre-defined Hyper-V operations are stored in the InitialStore.XML file located under C:\Programdata\Microsoft\Windows\Hyper-V. You can view the list of operations from the AzMan console. However the output is not easy to view as is is confined inside a small dialog box.
Fortunately, you can also use PowerShell to get the same list with the AzMan COM object. Here is a snippet of PS script to get the list in a CSV file
$AppName = "Hyper-V Services"
## Open the Hyper-V AzMan Store ## $AZStore = new-object -COMObject AzRoles.AzAuthorizationStore $AZStore.Initialize(0, "msxml://C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml")
In this post, I will show you how to explore the Hyper-V AzMan configuration from the GUI
AzMan GUI interface
There is no pre-defined AzMan console in Windows Server 2008, you have to create your own one. To do this, run mmc.exe from a command window. In the mmc, click File –> Add/Remove Snap-in and add the snap-in named Authorization Manager. Save your mmc console for later use.
In the AzMan mmc console, right click the node Authorization Manager and select Open Authorization Store…. In the Open Authorization Store…, select XML file and type in Store name:C:\Programdata\Microsoft\Windows\Hyper-V\InitialStore.xml assuming that C: is your system drive.
Note: Be aware that the ProgramData folder is hidden, you cannot browse it.
Figure 1 shows the GUI interface of AzMan
Exploring Hyper-V Operations
To see all pre-defined operations in Hyper-V, right click Tasks Definition and select New Task Definition…. Click Add…, ignore the informational message box. In the Add Definition dialog box, click the Operations tab, you will see the list of available Hyper-V operations as shown in Figure 2 below
Using the same technique, you can create task definitions, role definitions. Once done, you can look at the node Role Assignments to create roles and assign it to users or group of users.
Creating Scopes
Now, right click Hyper-V Services and select New Scope… Provide a name for the new scope and you will see that a node is created under Hyper-V Services and has the following sub-hierarchy:
!------ Groups !-------Definitions !-------Role Assignments
All tasks, role definitions and role assignments created there will be valid only at this new scope level. On the other hand, tasks, role definitions created at the default scope level can be seen/used by the “child” scope.
Summary
It is quite easy to use the AzMan console to create tasks, roles and scopes. In the next posts, I will show how to use PowerShell scripts to automate those tasks!
In MS Virtual Server 2005, to grant users access to virtual machines, you have to modify settings in two different places. First, you use the Web interface to change Security settings of Virtual Server and grant specific permissions to users ( Full Control, Read …). Second, you control access to the folders where virtual machines files are located with Access Control List (ACLs) set on files and folders.
Hyper-V uses a different authorization model which is based on Windows Authorization Manager (AzMan). AzMan is a role-based access control framework that provides runtime access validation methods for Windows applications. In contrast with the file-based access control model, AzMan offers the following advantages:
Granularity in permissions. File permissions are limited to basic actions such as read, write, full control on a resource. With AzMan, you can define more granular permissions and are not limited by the ACL model/
Permissions .vs Tasks. Using AzMan, application developers define permission/right as task to be assigned on resources. AzMan provides a broad authorization management model and much richer functionality
Storage.AzMan offers the ability to store defined policy in Active directory, ADAM, SQL database or even XML file.
AzMan exists since Windows 2003 R2 and is now an integrated component of the Windows platform. There are great resources that give an overview/ in-depth coverage of AzMan, you can find some good references here:
There are basic concepts in AzMan that you need to be familiar with before we go into details on how Hyper-V implements/use it for delegation. I will not describe the architecture of AzMan here, you can find some excellent materials from the references listed above.
Operation: Low-level permission that a resource manager uses to identify security access. Examples of operations in Hyper-V: “Pause and Restart Virtual Machine”, “Start Virtual Machine”, “Create Virtual Switch”, “Read Service Configuration”….
Task: Group of operations. Task is used to define which operations are required for an admin person. For example, in Hyper-V AzMan , you can create a task called VM-Control which groups the following operations: “Pause and Restart Virtual Machine”, “Start Virtual Machine”…
Role Definition: Group of tasks and operations that are needed for a particular role. For example, you can create a role definition called “VM Operator” which includes the VM-Control task defined above and the “Read Service Configuration” operation
Role: Set of permissions a user must have to perform a particular job. Role is assigned to users or group and is applied to a set of objects through scope
Scope: Defines a boundary for a distinct authorization policy. You create roles in a given scope and and apply this scope to a set of objects.
So the scope is really the “link” between AzMan and Hyper-V, you apply a set of permissions ( created thru tasks and roles) of a scope to a set of Hyper-V objects. Hyper-V provides a Default Scope that applies to all Hyper-V objects, so if an object has no custom scope defined, then it will use the Default Scope. Hyper-V’s default scope is named “Hyper-V Services”.
Scopes can be created from the default scope and they inherits tasks, roles definition and roles assignment from the parent scope. For example, if you create a new scope and apply to a set of objects, the objects will get all permissions ( through roles) defined in this scope and the default scope.
Hyper-V objects and Scope
All Hyper-V objects use the Default Scope but I find out that very few of them can accept user-defined scopes in the current release ( RC1) of Hyper-V. So far the following classes can have customized scopes:
Msvm_SwitchPort
Msvm_Switch
Msvm_VirtualSystemGlobalSettingData
Msvm_VirtualSystemManagementService
Basically, only virtual machines, virtual switch and the Virtual Machine Management Service can accept custom AzMan scopes. Those objects have the property ScopeOfResidence defined in their base classes.
To apply an Azman scope to those objects, you set their ScopeOfResidence to the name of the scope defined in AzMan.In the current release of Hyper-V , there is no GUI interface to apply a scope. You have to use scripts!
Summary
This is an overview of AzMan and how it is used in conjunction with Hyper-V. In the next posts, I will go through the AzMan interface and shows some scripts to create scopes and apply them to Hyper-V objects.
Extra 
Help
