Today, your customers are thinking more and more about security. The financial costs of data exposure weigh heavily on a company. The possibility of losing customer confidence is a nightmare situation that keeps every business owner up at night. Yet today's IT technologies must walk the tightrope between providing greater access and limiting access to only specified individuals.
Virtualization is not spared from this dilemma. Virtualization and its associated protocols enable desktop and server access from anywhere with a network connection. The hardest part is ensuring that only the right users get access to the right resources.
Microsoft's Hyper-V R2 has the built-in ability to limit user access, thanks to Windows Server 2008 R2's Authorization Manager (AzMan). Using the built-in Authorization Manager console, it is possible for solutions providers to configure granular access control privileges for customers' Hyper-V virtual machines (VMs). The problem is that using Microsoft's console doesn't easily work across multiple machines. As a result, using Microsoft's AzMan can lead to mistakes, inappropriate configurations and substantial headaches when scaling Hyper-V environments.
Unlike Windows Server 2008 R2's AzMan, Microsoft System Center Virtual Machine Manager (SCVMM) 2008 R2 is able to automate many activities. And SCVMM 2008 R2's ability to centrally configure user access across multiple Hyper-V servers is a primary value proposition. Using SCVMM 2008 R2, solutions providers can set access policies for the entire virtual infrastructure and be assured that permissions remain in place as VMs move between Hyper-V hosts. You can also view and verify user access across each of your customers' VMs through one central location.
Configuring user access in SCVMM 2008 R2 starts by creating a user role. When creating a user role, there are two types of profiles to choose from. The first is a "Delegated Administrator" and is used for distributing administrator rights to specified VMs. A Delegated Administrator has the ability to perform all of the functions of a full administrator, but only on specified host groups and library servers.
But not all users need to be administrators. Sometimes your customer's environment needs a standard user to access a VM's desktop. Or you may wish to better define access to particular VM actions as opposed to granting full administrator access. These more-granular access assignments are carried out through SCVMM's second user role profile, "Self-Service User."
The Self-Service User profile grants access to users through SCVMM's built-in Self-Service Portal. This Web-based service creates a limited interface for nonadministrative users to interact with VMs. Using website controls, users can be given access to start, stop, pause, resume, checkpoint, remove, connect and shut down specified VMs. Using the Create User Role wizard in SCVMM 2008 R2, solutions providers can assign permissions for any or all of these actions to specified users and groups.
Through the same wizard, solutions providers can also grant users the ability to create their own VMs. When users are granted the ability to create new VMs, they can also be assigned one or more VM templates, which serve as the starting point for the VM. Solutions providers will obviously need to create those VM templates prior to assignment and according to IT policy.
Considering that users have the ability to create VMs at will, protecting the Hyper-V environment from VM sprawl is important. Using the wizard, solutions providers can assign "Quota Points" to VM templates, as well as quota maximums for each user role member. For example, a low-powered VM template might be configured to consume only one Quota Point, and a high-powered VM template may consume two Quota Points. At the same time, a configured user could be assigned a maximum of four points. In such a configuration, the user could at any point have four low-powered VMs concurrently running, two high-powered VMs or a combination of both. Quota Points bring true self-service capabilities to the Self-Service Portal in SCVMM 2008 R2.
Solutions providers will also need to store VMs when they're not in use. SCVMM 2008 R2 uses a library to store needed data, such as templates, ISO files and dormant VMs. More than one library server and/or share can be used when data needs are large. Within the Create User Role wizard, solutions providers can assign permissions to use specified library servers and shares to needy users.
These settings are easily accessed from the Administration node of the SCVMM 2008 R2 console and are exceptionally easy for even the newest Hyper-V administrator. Still, assisting customers in making the right decisions about access control and user privileges is one area where solutions providers can really demonstrate the value of their services.
About the expert
Greg Shields, MVP, vExpert, is a partner with Concentrated Technology. Get more of Greg's tips and tricks at www.concentratedtech.com.