Line One
asked on
Windows Server - Authorization Manager - ability to create user for specific VM's
I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others. If so can you please provide me with the instructions to do so.
can't be done natively, with powershell one could engineer a solution that could accomplish this. System Center Virtual Machine manager does this natively for tenants but if your requirements are as simple as shown it would be overkill. SSVMM has a very steep learning curve.
ASKER
David Johnson:
"With powershell one could engineer a solution that could accomplish this"
Can you elaborate on this. Do you know the specifics of how it would be done/have done something similar or is it a general level of confidence that usually there is a way to do 'just about anything' with Powershell? For instance can you specify the commands that one might use?
Dan McFadden:
1. What virtualization technology are you using? VMWare, Hyper-V, Xen, Docker, etc.
Per my original post:
"I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others." So Windows 2012 R2 HyperV.
2. What are you using to manage your VM infrastructure? vShpere Client, SC VMM, etc?
No special software. Just native Windows Server 2012 R2.
"With powershell one could engineer a solution that could accomplish this"
Can you elaborate on this. Do you know the specifics of how it would be done/have done something similar or is it a general level of confidence that usually there is a way to do 'just about anything' with Powershell? For instance can you specify the commands that one might use?
Dan McFadden:
1. What virtualization technology are you using? VMWare, Hyper-V, Xen, Docker, etc.
Per my original post:
"I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others." So Windows 2012 R2 HyperV.
2. What are you using to manage your VM infrastructure? vShpere Client, SC VMM, etc?
No special software. Just native Windows Server 2012 R2.
ASKER
Some alternate routes I can think of that might work/suffice.
1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder
2) Give a user the right to create VM's but not delete them - with Authorization Manager
3) System Center Virtual Machine Manager - would it allow me to do what I want?
Thoughts?
1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder
2) Give a user the right to create VM's but not delete them - with Authorization Manager
3) System Center Virtual Machine Manager - would it allow me to do what I want?
Thoughts?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the links - they answer one of my questions - System Center Virtual Machine Manager could do this.
However I don't clearly see an answer to the other alternatives I asked:
1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder
2) Give a user the right to create VM's but not delete them - with Authorization Manager
However I don't clearly see an answer to the other alternatives I asked:
1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder
2) Give a user the right to create VM's but not delete them - with Authorization Manager
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the feedback
Thanks for the links to Azman task creation - I think that might work as well.
However as far as your comment about folder permissions:
"1. I don't think this is an effective solution. Reason being: how will you force users to save their VMs in specific paths? You have the ability to set a global destination directory for newly created VMs, and the option to store the VM in a different location... but there is always the question of forcing a path on a user. This becomes a question of procedure and enforcement.
If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own.
T
Thanks for the links to Azman task creation - I think that might work as well.
However as far as your comment about folder permissions:
"1. I don't think this is an effective solution. Reason being: how will you force users to save their VMs in specific paths? You have the ability to set a global destination directory for newly created VMs, and the option to store the VM in a different location... but there is always the question of forcing a path on a user. This becomes a question of procedure and enforcement.
If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own.
T
You could implement Azure Stack and add the users as tenants
ASKER
Thanks.
I am not familiar with Azure stack but I did a quick read just now. It talks about making a private cloud and hybrid cloud as well. For our purposes we would only do on-premises/our own data centre so no cloud-hosting with any third-party be it Microsoft or anybody else. Is this possible with Azure stack - it won't write-home to MS so to speak?
I have been reading of Server 2016 and it is supposed to have nested virtualization. Similar to Azure stack - tenants /users have their own Hypvervisors?
I am not familiar with Azure stack but I did a quick read just now. It talks about making a private cloud and hybrid cloud as well. For our purposes we would only do on-premises/our own data centre so no cloud-hosting with any third-party be it Microsoft or anybody else. Is this possible with Azure stack - it won't write-home to MS so to speak?
I have been reading of Server 2016 and it is supposed to have nested virtualization. Similar to Azure stack - tenants /users have their own Hypvervisors?
I have been reading of Server 2016 and it is supposed to have nested virtualization. Similar to Azure stack - tenants /users have their own Hypvervisors? not really as isolated as azure stack (private cloud is what you want) and the release date isn't fully set in stone but appears to be mid to late October
ASKER
Thanks for the quick reply. Can you please elaborate on 'not really as isolated'. Thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Very good points. Thanks.
ASKER
David:
Question I asked Don McFadden
"If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own."
I know this is not as good as 'isolation out of the box' but would it work?
Question I asked Don McFadden
"If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own."
I know this is not as good as 'isolation out of the box' but would it work?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand the pessimism. Point of resource allocation is an excellent one. Would Authorization Manager have the ability to set limits as to how much CPU/RAM/Disk space almostadmin could allocate/use as part of the role definition?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the info.
You use AzMan to create roles and operations and to assign these roles permission to perform the defined operations (tasks). AzMan integrates with AD so you can use your existing user account and group infrastructure to utilize these roles.
Links:
1. https://technet.microsoft.com/en-us/library/cc732203(v=ws.11).aspx
2. https://msdn.microsoft.com/en-us/library/bb897401.aspx
Unless an existing application is AzMan aware, you can just use AzMan to control access.
Typically you could use AzMan to control access to functionality in a web application or custom desktop client app.
With that said:
1. What virtualization technology are you using? VMWare, Hyper-V, Xen, Docker, etc.
2. What are you using to manage your VM infrastructure? vShpere Client, SC VMM, etc?
Dan