[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 127
  • Last Modified:

Windows Server - Authorization Manager - ability to create user for specific VM's

I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others. If so can you please provide me with the instructions to do so.
0
lineonecorp
Asked:
lineonecorp
  • 10
  • 5
  • 5
6 Solutions
 
Dan McFaddenSystems EngineerCommented:
Unless you have written a custom VM manager, you cannot use Authorization Manager to do this.

You use AzMan to create roles and operations and to assign these roles permission to perform the defined operations (tasks).  AzMan integrates with AD so you can use your existing user account and group  infrastructure to utilize these roles.

Links:
1. https://technet.microsoft.com/en-us/library/cc732203(v=ws.11).aspx
2. https://msdn.microsoft.com/en-us/library/bb897401.aspx

Unless an existing application is AzMan aware, you can just use AzMan to control access.

Typically you could use AzMan to control access to functionality in a web application or custom desktop client app.

With that said:

1. What virtualization technology are you using?  VMWare, Hyper-V, Xen, Docker, etc.
2. What are you using to manage your VM infrastructure?  vShpere Client, SC VMM, etc?

Dan
1
 
David Johnson, CD, MVPOwnerCommented:
can't be done natively, with powershell one could engineer a solution that could accomplish this. System Center Virtual Machine manager does this natively for tenants but if your requirements are as simple as shown it would be overkill. SSVMM has a very steep learning curve.
0
 
lineonecorpAuthor Commented:
David Johnson:

"With powershell one could engineer a solution that could accomplish this"

Can you elaborate on this.  Do you know the specifics of how it would be done/have done something similar or is it a general level of confidence that usually there is a way to do 'just about anything' with Powershell?  For instance can you specify the commands that one might use?

Dan McFadden:

1. What virtualization technology are you using?  VMWare, Hyper-V, Xen, Docker, etc.

Per my original post:  
"I am wondering if I can use Authorization Manager in Windows Server 2012 to create a user who can create and delete VMs of their own but can not delete or modify VMs created by others." So Windows 2012 R2 HyperV.


2. What are you using to manage your VM infrastructure?  vShpere Client, SC VMM, etc?

No special software. Just native Windows Server 2012 R2.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
lineonecorpAuthor Commented:
Some alternate routes I can think of that might work/suffice.

1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder

2) Give a user the right to create VM's but not delete them - with Authorization Manager

3) System Center Virtual Machine Manager - would it allow me to do what I want?

Thoughts?
0
 
Dan McFaddenSystems EngineerCommented:
0
 
lineonecorpAuthor Commented:
Thanks for the links - they answer one of my questions - System Center Virtual Machine Manager could do this.

However I don't clearly see an answer to the other alternatives I asked:

1) Assign only certain folders that a user can write to so that when they create their VM/VHD they will only be able to create in that folder and not have delete permissions in any other folder

2) Give a user the right to create VM's but not delete them - with Authorization Manager
0
 
Dan McFaddenSystems EngineerCommented:
1.  I don't think this is an effective solution.  Reason being:  how will you force users to save their VMs in specific paths?  You have the ability to set a global destination directory for newly created VMs, and the option to store the VM in a different location... but there is always the question of forcing a path on a user.  This becomes a question of procedure and enforcement.

2.  You have to read thru the third link as well as doing work in AzMan.  You would have to create custom role definitions as well as build/define custom tasks in order to control the functionality you desire.  This is the pro and con of AzMan... it is flexible enough to accommodate user defined actions but it is an almost blank canvas.  In AzMan for Hyper-V, there is 1 role defined and several default tasks & operations.  If these are not enough to implement your required functionality, you will have to define the tasks yourself.

Reference Links:
- https://technet.microsoft.com/en-us/library/dd283030(v=ws.10).aspx
- https://technet.microsoft.com/en-us/library/dd282980(v=ws.10).aspx

To summarize, you would need to create a new role definition and create custom tasks that allow the needed functionality with the except of "delete" operations.

Dan
0
 
lineonecorpAuthor Commented:
Thanks for the feedback

Thanks for the links to Azman task creation - I think that might work as well.

However as far as your comment about folder permissions:
"1.  I don't think this is an effective solution.  Reason being:  how will you force users to save their VMs in specific paths?  You have the ability to set a global destination directory for newly created VMs, and the option to store the VM in a different location... but there is always the question of forcing a path on a user.  This becomes a question of procedure and enforcement.


If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own.

T
0
 
David Johnson, CD, MVPOwnerCommented:
You could implement Azure Stack and add the users as tenants
0
 
lineonecorpAuthor Commented:
Thanks.

I am not familiar with Azure stack but I did a quick read just now.  It talks about making a private cloud and hybrid cloud as well. For our purposes we would only do on-premises/our own data centre so no cloud-hosting with any third-party be it Microsoft or anybody else. Is this possible with Azure stack - it won't write-home to MS so to speak?

I have been reading of Server 2016 and it is supposed to have nested virtualization.  Similar to Azure stack - tenants /users have their own Hypvervisors?
0
 
David Johnson, CD, MVPOwnerCommented:
I have been reading of Server 2016 and it is supposed to have nested virtualization.  Similar to Azure stack - tenants /users have their own Hypvervisors? not really as isolated as azure stack (private cloud is what you want) and the release date isn't fully set in stone but appears to be mid to late October
0
 
lineonecorpAuthor Commented:
Thanks for the quick reply. Can you please elaborate on 'not really as isolated'.  Thanks in advance.
0
 
David Johnson, CD, MVPOwnerCommented:
Network isolation what happens if a tenant wants to use the same subnet as another tenant or use a vpn to connect. Disk Isolation - when you create the VM does the vhd exist inside of a vhd from the parent vm or does it exist on the file system? If on the file system what safeguards are there so a tenant can't create a vm using another users vhd's?
0
 
lineonecorpAuthor Commented:
Very good points. Thanks.
0
 
lineonecorpAuthor Commented:
David:

Question I asked Don McFadden

"If I have almostadmin1 and almostadmin2 and they have the right to create and delete VM's but only have rights to \almostadmin1 and \almostadmin2 for saving and deleting and renaming files won't this be self-enforcing? If they try to delete the other fellows VHD's or VM's they will be blocked as they will have no rights in the other's folder but full rights in their own."

I know this is not as good as 'isolation out of the box' but would it work?
0
 
Dan McFaddenSystems EngineerCommented:
Again... we come back to the question of enforcing a required path to save VMs.  Yes, you could grant Read/Write permissions to specific folders, but the Hyper-V manager sets only a preferred path to save the VM files and this is a global setting, not a per user setting.

If these "almost admins" follow a required procedure, then this could work.

<Minor-Rant>
But my experience tells me that people do what people want to do, not always what they're told or expected to do.  And almost admins will inevitably try and test their boundaries.

As someone who has been around the IT Admin block a few times, I am a bit pessimistic about letting
non-admins play on servers that are probably in Production.
</Minor-Rant>

In addition to David's points, there is also the concern of resource allocation.  How are you going to control the amount of resources the "AlmostAdmin" configured their various VMs with?  I foresee resource exhaustion in this server's future.  (again, the pessimist coming out)

Dan
0
 
lineonecorpAuthor Commented:
I understand the pessimism.  Point of resource allocation is an excellent one.  Would Authorization Manager have the ability to set limits as to how much CPU/RAM/Disk space almostadmin could allocate/use as part of the role definition?
0
 
Dan McFaddenSystems EngineerCommented:
No, AzMan could only be used to control who has access to what based on group and role membership.  Placing constraints on configurable items would require custom tools.  AzMan is essentially a Role based access control mechanism.

Dan
0
 
David Johnson, CD, MVPOwnerCommented:
What you want realistically cannot be done without using SCVMM or Azure Pack. You create your tenants and set the restrictions appropriately

What is to stop an almost admin from spinning up 100 or 1,000 vm's with a fixed disk non-expanding of 1TB? and having 16384 startup memory.  Eventually given enough patience they will use ALL available disk space,memory, disk i/o's
0
 
lineonecorpAuthor Commented:
Thanks for all the info.
0

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 10
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now