How To: Get Started With Hyper-V Permissions

Defining the security model for your first foray with Hyper-V.

For administrators wanting to use Hyper-V in any capacity, a security model needs to be defined for your requirements. The base functionality with the Hyper-V role to manage permissions is done via the Authorization Manager Framework for Hyper-V. This can be used in conjunction with System Center Virtual Machine Manager (SCVMM) or independently for smaller implementations using the Hyper-V Manager with the Hyper-V role for servers.

Authorization Manger, or Azman, allows administrators to build permissions around roles. Azman includes 32 configurable operations for Hyper-V Manager. There are Administrator and User built-in roles, and custom roles can be added and assigned to various Windows groups or users.

  1. Run "azman.msc" to open up the base console.
  2. Open the Authorization Store .XML file for Hyper-V. The location for default installations is C:\ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml.

Within the Hyper-V Authorization Store, roles can be created for specific virtual machine (VM)-related tasks. Administrators can create roles from 32 operations available for permission assignment. These include VM console access, start and stop functions, networking configuration and more. Fig. 1 shows a role being created and the list of configurable operations being selected.

Role definitions
Figure 1. Role definitions are created in the Hyper-V authorization store. (Click image to view larger version.)

Once a role definition is created, permissions are assigned to that role. Again in the Hyper-V Authorization Store, we can now assign a user or group to the newly created role (see Fig. 2).

Associating role definitions
Figure 2. After role definitions are created, users or groups are associated with that role. (Click image to view larger version.)

At that point, the configured actions are assigned to the users as configured in the Hyper-V Authorization store. Be sure to give some planning to how this is configured; basic guidelines include making sure everything is applied through group permissions, and never over-granting privileges.

This is straightforward stuff for Microsoft folks, but it may not be as intuitive for administrators familiar with assigning roles in VMware.

Send me an e-mail, or post any tricks you’ve done with permissions for Hyper-V below, including some crafty Group Policy Objects.

About the Author

Rick Vanover (Cisco Champion, Microsoft MVP, VMware vExpert) is based in Columbus, Ohio. Vanover's experience includes systems administration and IT management, with virtualization, cloud and storage technologies being the central theme of his career recently. Follow him on Twitter @RickVanover.


Subscribe on YouTube