You manage Hyper-V host servers and virtual machines (VMs) by using Microsoft System
Center Virtual Machine Manager (VMM) 2008 R2. Developers are members of an AD
security group named Development. You need to ensure that on a specific host server,
members of the Development group can perform only the Create, Modify, and Remove VM
management tasks. What should you do?
A.
Create a Self-Service user role and add the Development group to this role.
B.
Create a Delegated Administrator user role and add the Development group to this role.
C.
In Authorization Manager, create a role on the client computer of each member of the
Development group, and add the Development group to this role.
D.
Install Hyper-V Manager on the client computer of each member of the Development
group, and grant the Development group administrative privileges on the specific server.
Explanation:
The self-service user role grants users permissions to create, operate, manage, store, create
checkpoints for, and connect to their own virtual machines through the Virtual Machine
Manager Self-Service Portal.
In role-based security, dynamic collections of instances of objects (such as hosts or virtual
machines), known as groups, determine the available targets for a particular operation that a
user performs. For example, when a user attempts to start a virtual machine, VMM first
checks whether the user has permission to perform the Start action on virtual machines and
then verifies that the user has the right to start the selected virtual machine.
These groups are hierarchical: providing access to a particular instance provides access to
all instances contained in that instance. For example, providing access to a host group
provides access to all hosts within the host group and to all virtual networks on the hosts.
The following illustration shows the hierarchy of instances within the groups that apply to
VMM user roles.
When a user role provides access to an instance in the outer ring, it automatically provides
access to all instances in the inner rings. Virtual machines are pictured separately because
the flow of access works somewhat differently for them. For all administrator roles, host
group rights flow to all virtual machines that are deployed on the hosts. However, that is not
true for members of selfservice user roles. The rights of self service users are limited to
virtual machines that they own.
Group hierarchies for role-based security
Role Types in VMM
The following user role types, based on profiles of the same name, are defined for VMM:
Administrator role—Members of the Administrator role can perform all VMM actions on all
objects that are managed by the VMM server. Only one role can be associated with this
profile. At least one administrator should be a member of the role.
Delegated Administrator role—Members of a role based on the Delegated Administrator
profile have full VMM administrator rights, with a few exceptions, on all objects in the scope
defined by the host groups and library that are assigned to the role. A delegated
administrator cannot modify VMM settings or add or remove members of the Administrator
role.
Self-Service User role—Members of a role based on the Self-Service User profile can
manage their own virtual machines within a restricted environment. Self-service users usethe VMM Self- Service Web Portal to manage their virtual machines. The portal provides a
simplified view of only the virtual machines that the user owns and the operations that the
user is allowed to perform on them. A self-service user role specifies the operations that
members can perform on their own virtual machines (these can include creating virtual
machines) and the templates and ISO image files that they can use to create virtual
machines. The user role also can place a quota on the virtual machines that a user can
deploy at any one time. Self-service users’ virtual achines are deployed transparently on the
most suitable host in the host group that is assigned to the user role.
