Windows LiveWindows Live
 
 
Dung K Hoang 的个人资料Dung's space日志网络 工具 帮助

日志
    7月4日

    Delegation Model in Hyper-V – Part 1

     

    Overview

    In MS Virtual Server 2005, to grant users access to virtual machines, you have to modify settings in two different places. First, you use the Web interface to change Security settings of Virtual Server and grant specific permissions to users ( Full Control, Read …). Second, you control access to the folders where virtual machines files are located with Access Control List (ACLs) set on files and folders.

    Hyper-V uses a different authorization model which is based on Windows Authorization Manager (AzMan). AzMan is a role-based access control framework that provides runtime access validation methods for Windows applications. In contrast with the file-based access control model, AzMan offers the following advantages:

    • Granularity in permissions. File permissions are limited to basic actions such as read, write, full control on a resource. With AzMan, you can define more granular permissions and are not limited by the ACL model/
    • Permissions .vs Tasks. Using AzMan, application developers define permission/right as task to be assigned on resources. AzMan provides a broad authorization management model and much richer functionality
    • Storage.AzMan offers the ability to store defined policy in Active directory, ADAM, SQL database or even XML file.

    AzMan exists since Windows 2003 R2 and is now an integrated component of the Windows platform. There are great resources that give an overview/ in-depth coverage of AzMan, you can find some good references here:

  • Role-Based Access Control for Multi-tier Applications Using Authorization Manager White P... : In the Windows Server 2003 family, Authorization Manager introduces a new model for application authorization on the Windows platform. AzMan gives applications a role-based access control framework that provides manageable administration and natural development for Web-based or line-of-business applications. http://technet2.microsoft.com/WindowsServer/en/library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx
  • How to Use and Manage the Authorization Manager Snap-In : http://technet2.microsoft.com/WindowsServer2008/en/library/9bd3ff29-71de-466c-a0b9-30b225c1358e1033.mspx

     

    AzMan concepts

    There are basic concepts in AzMan that you need to be familiar with before we go into details on how Hyper-V implements/use it for delegation. I will not describe the architecture of AzMan here, you can find some excellent materials from the references listed above.

    • Operation: Low-level permission that a resource manager uses to identify security access. Examples of operations in Hyper-V: “Pause and Restart Virtual Machine”, “Start Virtual Machine”, “Create Virtual Switch”, “Read Service Configuration”….
    • Task: Group of operations. Task is used to define which operations are required for an admin person. For example, in Hyper-V AzMan , you can create a task called VM-Control which groups the following operations: “Pause and Restart Virtual Machine”, “Start Virtual Machine”…
    • Role Definition: Group of tasks and operations that are needed for a particular role. For example, you can create a role definition called “VM Operator” which includes the VM-Control task defined above and the “Read Service Configuration” operation
    • Role: Set of permissions a user must have to perform a particular job. Role is assigned to users or group and is applied to a set of objects through scope
    • Scope:  Defines a boundary for a distinct authorization policy. You create roles in a given scope and and apply this scope to a set of objects.

    So the scope is really the “link” between AzMan and Hyper-V, you apply a set of permissions ( created thru tasks and roles) of a scope to a set of Hyper-V objects. Hyper-V provides a Default Scope that applies to all Hyper-V objects, so if an object has no custom scope defined, then it will use the Default Scope. Hyper-V’s default scope is named “Hyper-V Services”.

    Scopes can be created from the default scope and they inherits tasks, roles definition and roles assignment from the parent scope. For example, if you create a new scope and apply to a set of objects, the objects will get all permissions ( through roles) defined in this scope and the default scope.

    Hyper-V objects and Scope

    All Hyper-V objects use the Default Scope but I find out that very few of them can accept user-defined scopes in the current release ( RC1) of Hyper-V. So far the following classes can have customized scopes:

    • Msvm_SwitchPort
    • Msvm_Switch
    • Msvm_VirtualSystemGlobalSettingData
    • Msvm_VirtualSystemManagementService

    Basically, only virtual machines, virtual switch and the Virtual Machine Management Service can accept custom AzMan scopes. Those objects have the property ScopeOfResidence defined in their base classes.

    To apply an Azman scope to those objects, you set their ScopeOfResidence to the name of the scope defined in AzMan. In the current release of Hyper-V , there is no GUI interface to apply a scope. You have to use scripts!

    Summary

    This is an overview of AzMan and how it is used in conjunction with Hyper-V. In the next posts, I will go through the AzMan interface and shows some scripts to create scopes and apply them to Hyper-V objects.

    Enjoy!

    /Dung

    HyperV WMI PowerShell

    • 6:28 | 写入日志

    评论 (1)

    请稍候...
    很抱歉,您输入的评论太长。请缩短您的评论。
    您没有输入任何内容,请重试。
    很抱歉,我们当前无法添加您的评论。请稍后重试。
    若要添加评论,需要您的家长授予您相应权限。请求权限
    您的家长禁用了评论功能。
    很抱歉,我们当前无法删除您的评论。请稍后重试。
    您已超过了一天之内允许提供的评论数上限。请在 24 小时后重试。
    因为我们的系统表明您可能在向其他用户提供垃圾评论,您的帐户已禁用了评论功能。如果您认为我们错误地禁用了您的帐户,请联系 Windows Live 支持部门
    完成下面的安全检查,您提供评论的过程才能完成。
    您在安全检查中键入的字符必须与图片或音频中的字符一致。
    Dung K Hoang 在此页禁用了评论功能。
    没有名字发表:

    Amberdigital Branch,Southern Stars Enterprises Co is specializing in the development and manufacturing of mp4 advertisement players, SD card players and advertisement LCD displays. Established in 1996, we have explored and developed the international market with professionalism. We have built a widespread marketing network, and set up a capable management team dedicated to provide beyond-expectation services to our customers.

    amberdigital Contact Us
    Southern Stars Enterprises Co (Hong Kong Office)
    Add:3 Fl, No.2, Lane 2, Kam Tsin Tsuen, Sheung Shui, Hong Kong
    Tel:+852 2681 4099
    Fax:+852 2681 4586

    Southern Stars Enterprises Co (Shenzhen Office)
    Add:DE, 16/F, Building 2, Nanguo Tower, Sungang Road, Shenzhen, China
    Tel:+86 755 2592 9100
    Fax:+86 755 2592 7171

    E-mail:sstar@netvigator.com
    website:www.amberdigital.com.hk
    alibaba:amberdigital.en.alibaba.com[b

    8 月 22 日

    引用通告

    此日志的引用通告 URL 是:
    http://dungkhoang.spaces.live.com/blog/cns!31A50D02D661C816!269.trak
    引用此项的网络日志