Delegate Access Control and Management in Hyper-V
In a virtual environment security is vital, because you can’t give full permissions to everyone. Imagine just for a moment if a user connects to one of your Hyper-V servers, and by mistake power’s off some of the VM’s, or even worse, deletes them. But the user still needs access to his VM, right ? Yes, that’s right, so you decided to remove his account as local administrator. Now you have another problem, the user can’t even connect to the Hyper-V service, he gets the message: “You don’t have the required permission to complete this task. Contact the administrator of the authorization policy for the computer…“.
There is another way by which you can restrict what the user can do and cannot do once is connected to your Hyper-V server(s). For that you need to create delegation of administration by using the Authorization Manager console.
To start, log in to one of your Hyper-V servers and go to Start > Run. Here, type azman.msc and press Enter.
Don’t worry if you see me do this on a 2012 server, it works with 2008 and 2008 R2 also. I just like to work with new stuff.
Once the console opens, right-click Authorization Manager and choose Open Authorization Store.
Leave the XML file option selected, click Browse, and go to C:\ProgramData\Microsoft\Windows\Hyper-V. Highlight the InitialStore.xml file and hit Open then OK.
If you expand Hyper-V services and click the Definitions folder, you will see two other sub folders called Role Definitions and Task Definitions. The first one is used to create groups to control access to Hyper-V, and the second one to centralize the permissions settings for the VMs (shutdown, power on, snapshot, etc). Right-click the Role Definitions folder and choose New Role Definition.
Give the group a name then click OK. I’m going to call mine Read-Only, because I will use it to give users only read access to VM’s. So everyone that is part of this group and connects to my Hyper-V server using the Hyper-V Manager console, they will not be able to change VM’s and Hyper-V settings, or even power on or off VM’s.
Now go to the Task Definitions folder, right-click it and choose New Task Definition.
Give the task definition a name then click the Add button. Ignore the message that pops-up and hit OK to dismiss it.
On the Operations tab check everything that starts with View (at the end of the list), this is if you want your users that are part of the Read-Only group to view your switches settings or any other configuration. If you also want your users to see what VM’s are running on your Hyper-V server(s) you need to check the first two definitions from the list. Don’t close the window yet, because there is a definition, a very important one, that if you don’t enable, your users will not be able to connect to the Hyper-V service. They will get message that you read at the beginning of this guide.
The definition is called Read Service Configuration. Check the box next to it then hit OK;
and OK again.
Go back to the Role Definitions folder and open the properties of the Read-Only group (right-click > Properties). On the Definition tab click the Add button.
On the window that just opened, the Add Definition window, go to the Tasks tab and check the Read-Only Access definition created just a minute ago. Click OK twice.
The final step is to assign an Active Directory or local group or user to the role definition we just created. For that right-click the Role Assignments folder and choose New Role Assignment.
Check the Read-Only role definition then hit OK.
Now right click the group and choose Assign Users and Groups > From Windows and Active Directory.
Type the AD user-name or group and click OK. I recommend you create a security group in AD (like in this example) and work with that. Then when you need to give read-only access to your Hyper-V server(s) to another user, all you have to do is add his/her user account to this security group.
Now let’s do some testing. Log in with one of the accounts that is part of the Read-Only group, open the Hyper-V Manager console and try to modify some settings or power off a VM; anything. As you can see, all the operations are failing, because the user does not have access to modify them.
All you have to do now is create the desired tasks, roles and definitions for your users. This way, they can do their jobs without compromising availability or security.