Now that you have a good understanding of AzMan, let’s implement a simple delegation model of Hyper-V. I use the following scenario as example. In my training labs, I have a group of students ( Student01, Student02….) to whom  I assign a set of VMs as follow: Student01 will get and can only manage 01_ VMs , Student02 will get 02_ VMs…

Basic AzMan roles

To delegate administration of a selected virtual machine to a user, an administrator needs to:

1. Create specific AzMan roles and scope
2. Apply scope to designated VMs

You need to define at least the following roles:

• “Hyper-V Manager Role”. This role includes the operations “Read Service Configuration” and “”View Virtual Switch Management”. The role is assigned to all users who want to connect to a Hyper-V host from the Hyper-V Manager Console. If a user is not assigned this role from AzMan, it will get an error message in the Hyper-V mmc stating that the credentials do not have sufficient permissions to connect to the service.
  Finally, as this role is used to define permissions to connect to the Virtual Machine Management Service, you create the role and assign users at the default scope of Hyper-V in AzMan.
  Note:  Name of the role is defined by the administrator. However, names of the operations are pre-defined and you must select the right operations when creating the role.
  
• “Virtual Machine Manager Role”.  This role includes the following operations:
1. "Allow Input to Virtual Machine",
2. "Allow Output from Virtual Machine",
3. "Start Virtual Machine",
4. "Stop Virtual Machine",
5. "Pause and Restart Virtual Machine”

For this role, you create a new scope in AzMan, define the role  and assign it to users inside this scope and not at the default scope level.

Step-by-Step

In this section,I will show you how to create the roles in AzMan.

1. Open a new MMC console. In the main window, click File –> Add/Remove snapin…. Add “Authorization Manager” to the console.
2. Back to the console, right click the node Authorization Manager and select Open Authorization Store…” In the dialog box, ensure that option “Xml file” is selected, and click Browse. In the ‘browse” window, in the “file Name’ text box, type in C:\ProgramData\Microsoft\Windows\Hyper-V  and select Initialstore.xml. Your mmc should look like this one:
   
   
   
   
3. Expand the hierarchy and right click Role Definitions and select New Role Definition. In the dialog box, fill out the name a “Hyper-V Manager Role” and click  Add…
4. In the Add Definition dialog box, click the “Operations” tab, then add the 2 operations specified above. Your screen should look like this one.
   
   
   
5. Now create a domain user named Student01. Use runas to open a MMC console with Student01’s credential. Add Hyper-V Manager snap-in to this console and try to connect to the local Hyper-V hot system. You should see the error like this one:
   
   
   
6. Switch back to the Azman console. You will now assign this role to Student01. Right click Role Assignments and select New Role Assignment. In the Add Role dialog box, select “Hyper-V Manager Role”. Click OK.
7. Back to the console, right click   “Hyper-V Manager Role” and select Assign Users and Groups –> From Windows and Active Directory and specify Student01 as for my scenario.
8. Switch back to the Hyper-V console run under Student01’s profile, hit F5  to refresh, the error message should disappear!

You have successfully created the Hyper-V Manager Role. Bravo!

Enjoy!

/Dung

HyperV WMI PowerShell